Open
Bug 1901412
Opened 29 days ago
Updated 17 days ago
Assertion failure: !data()->args[i].isMagic(), at /root/src/js/src/vm/ArgumentsObject.h:395
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
UNCONFIRMED
People
(Reporter: nils.bars, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: regression)
Attachments
(1 file)
|
337 bytes,
application/x-javascript
|
Details |
Steps to reproduce:
Checkout commit 15778b8c32f8535624fff2af36fc669e65a9af3 and invoke the js shell as follows:
/root/js-spidermonkey-shell --fuzzing-safe <testcase>
Actual results:
Assertion failure: !data()->args[i].isMagic(), at /root/src/js/src/vm/ArgumentsObject.h:395
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 125 → Trunk
|
||
Updated•29 days ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•28 days ago
|
||
Test below fails with --fast-warmup --no-threads.
The debugger creates an arguments object for the frame that has a JS_OPTIMIZED_OUT magic value for argument 0.
function f() {
var dbg = newGlobal({newCompartment: true}).Debugger(this);
dbg.getNewestFrame().older.eval(`arguments[0] = arguments`);
}
class Cls {
constructor(c) {
for (var i = 0; i < 60; i++) {}
f();
}
}
new Cls(Cls);
|
|
||
Updated•28 days ago
|
Group: javascript-core-security
|
||
Updated•27 days ago
|
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/8246a4ba7eeb
user: Jon Coppeard
date: Mon Nov 13 16:03:20 2023 +0000
summary: Bug 1864419 - Part 2: Add GCOwnedArray for arrays of GC data owned by GC things that may live in the nursery r=jandem
Jon, is bug 1864419 a likely regressor?
|
||
Comment 3•21 days ago
|
||
Probably just the last patch to touch this code. Sounds like a debugger issue from previous comments.
Flags: needinfo?(jcoppeard)
No longer regressed by: 1864419
You need to log in
before you can comment on or make changes to this bug.
Description
•