Closed Bug 784011 Opened 8 years ago Closed 8 years ago

Assertion failure: !entered && i < mLength, at ./dist/include/js/Vector.h:342 or Crash [@ js::ParallelArrayObject::getParallelArrayElement]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla17
Tracking Status
firefox16 --- unaffected
firefox17 --- verified
firefox-esr10 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update,bisect,ignore][adv-track-main17-])

Crash Data

Attachments

(1 file)

The following test asserts/crashes on mozilla-central revision c676b554c7bb (options -m -n -a):


var p2 = new ParallelArray([2,2], function(i,j) { return i+j; });
p2.get({ 0: 1, 1: 0, testGet: 2 })


Opt-build shows:

==53622== Invalid read of size 4
==53622==    at 0x5797EA: js::ParallelArrayObject::getParallelArrayElement(JSContext*, js::ParallelArrayObject::IndexInfo&, JS::MutableHandle<JS::Value>) (ParallelArray.cpp:906)
==53622==    by 0x57AB38: js::ParallelArrayObject::get(JSContext*, JS::CallArgs) (ParallelArray.cpp:1452)
==53622==    by 0x57ABD8: int NonGenericMethod<&(js::ParallelArrayObject::get(JSContext*, JS::CallArgs))>(JSContext*, unsigned int, JS::Value*) (jsapi.h:1570)
==53622==    by 0x48F9FF: js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:389)
==53622==    by 0x484A59: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2423)
==53622==    by 0x48F8EC: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:308)
==53622==    by 0x490621: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:492)
==53622==    by 0x419CA4: JS_ExecuteScript (jsapi.cpp:5673)
==53622==    by 0x4088AC: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:433)
==53622==    by 0x40B7AB: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4813)
==53622==    by 0x40BC8D: main (js.cpp:5031)
==53622==  Address 0xbfefff0dc is not stack'd, malloc'd or (recently) free'd
Whiteboard: [jsbugmon:update] → [jsbugmon:update,bisect]
Attached patch fix and testcaseSplinter Review
Attachment #653430 - Flags: review?(dmandelin)
Attachment #653430 - Flags: review?(dmandelin) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   102665:ea2ad8970f3e
user:        Shu-yu Guo
date:        Fri Aug 17 10:38:59 2012 -0700
summary:     Bug 778559 - Implement ParallelArray API with sequential execution (r=dmandelin)
The bisection was of course not necessary, I was just testing the new bot functionality to perform these in an automated way :)
https://hg.mozilla.org/mozilla-central/rev/f3c8dd3b9ea4
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:update,bisect,ignore][adv-track-main17-]
Blocks: 778559
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.