Open Bug 1926667 Opened 10 months ago Updated 10 months ago

Assertion failure: tag == SCTAG_TRANSFER_MAP_HEADER at vm/StructuredClone:3511 on big endian

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Version:
Firefox 128
Type:
defect

Tracking

()

Status:
ASSIGNED

People

(Reporter: awilfox, Assigned: awilfox)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1926667 - Ensure JSStructuredCloneReader::readTransferMap respects endianness r?sfink
48 bytes, text/x-phabricator-request
Details | Review

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:128.0) Gecko/20100101 Firefox/128.0

Steps to reproduce:

Using an --enable-debug build of Firefox 128.3.1 ESR in a Big Endian system (powerpc64-linux-musl), navigated to https://git.adelielinux.org/adelie/packages, a GitLab repository.

Actual results:

Tab crash displayed. Console output:

[36469] Assertion failure: tag == SCTAG_TRANSFER_MAP_HEADER, at /home/awilcox/Code/awilfox/icu-next/user/firefox-esr/src/firefox-128.3.1/js/src/vm/StructuredClone.cpp:3511

Expected results:

The Pair stored at vm/StructuredClone.cpp:3390 should be swapped to little endian. Wrapping the PairToUInt64 call with NativeEndian::swapToLittleEndian fixes the crash.

Assignee: nobody → AWilcox
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

The patch works in ESR 128 and I forward-ported it to central but I haven't been able to test Nightly nor run jsapi-tests yet.

Something else to note is that I can't tell if the second headerPos.write() needs to be swapped or not. It looks like it should be, but ESR 128 runs fine with or without that line changed. That is one of the reasons I'd rather put this through jsapi-tests first…

Tests on Nightly (--enable-project=js) look good; the Date/Intl regressions are caused by musl as far as I can tell. Float64Array bug might be legitimate but it's unrelated.

awilcox on gwyn ~/Code/contrib/mozilla-unified % MOZCONFIG=mozconfig.js ./mach jsapi-tests
Passed: ran 412 tests.
awilcox on gwyn ~/Code/contrib/mozilla-unified % MOZCONFIG=mozconfig.js ./mach jstests
[45956| 22| 0| 6129] 100% ======================================>| 286.9s
REGRESSIONS
--enable-float16array test262/built-ins/TypedArray/prototype/set/typedarray-arg-set-values-same-buffer-other-type.js
non262/Date/15.9.5.7.js
non262/Intl/available-locales-supported.js
non262/Intl/available-locales-resolved.js
non262/Intl/supportedValuesOf-timeZones-canonical.js
non262/Intl/DisplayNames/currency.js
non262/Intl/DisplayNames/calendar.js
non262/Intl/DisplayNames/language-dialect.js
non262/Intl/NumberFormat/currency-narrow-symbol.js
non262/Intl/DateTimeFormat/fractional-second-digits-append-item.js
non262/Intl/DateTimeFormat/formatRange-timeZoneName-matches-format.js
non262/Intl/DateTimeFormat/related-year.js
non262/Intl/DateTimeFormat/timeZone_version.js
non262/Intl/DateTimeFormat/day-period-hour-cycle.js
non262/Intl/DateTimeFormat/formatRange-timeZone-offset.js
non262/Intl/DateTimeFormat/timeZone_backward_links.js
non262/Intl/DateTimeFormat/formatRange-timeZoneName.js
non262/Intl/Collator/implicithan.js
non262/Intl/Collator/big5han-gb2312han.js
non262/Intl/Locale/likely-subtags.js
non262/Intl/ListFormat/conjunction-type.js
non262/Intl/Locale/likely-subtags-generated.js
FAIL

Blocks: sm-runtime
Severity: -- → S3
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: