"Assertion failure: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition,"

RESOLVED FIXED in mozilla20

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: gkw, Assigned: dvander)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla20
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [fuzzblocker] [js:p1] [jsbugmon:update,ignore])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 678219 [details]
stack

"h".match(RegExp("()??t()*"))

asserts js debug shell on m-c changeset 2937fd8e35a1 without any CLI arguments at Assertion failure: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   112142:8bf2f8cb5e73
user:        David Anderson
date:        Thu Nov 01 21:35:25 2012 -0700
summary:     Update Yarr to WebKit rev 130234 (bug 740015, r=dmandelin).
(Reporter)

Comment 1

6 years ago
Setting fuzzblocker because this is triggered quite often by jsfunfuzz.
(Reporter)

Comment 2

6 years ago
dvander, is this a bug in our YARR adaptation, or is this an upstream bug?
Flags: needinfo?(dvander)
(Reporter)

Comment 3

6 years ago
dvander, is this a bug in our YARR adaptation, or is this an upstream bug?
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update][js:p1:fx20]
Turns out this is upstream. I filed WebKit bug https://bugs.webkit.org/show_bug.cgi?id=104846.
Flags: needinfo?(dvander)
Created attachment 691540 [details] [diff] [review]
a fix

I don't know if we should take this or not, but probably, if it will help fuzzing. It disables the assert, and uses the value which is sensible (I don't think -1 is supposed to leak into inputPosition).
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #691540 - Flags: review?
Attachment #691540 - Flags: review? → review?(sstangl)
Err, ignore the non-Yarr stuff in that patch :)

Updated

6 years ago
Attachment #691540 - Flags: review?(sstangl) → review+
(Reporter)

Comment 7

6 years ago
dvander mentioned to add [leave open].

https://hg.mozilla.org/integration/mozilla-inbound/rev/cd2eb9705765
Whiteboard: [fuzzblocker][jsbugmon:update][js:p1:fx20] → [fuzzblocker][jsbugmon:update][js:p1:fx20][leave open]
Whiteboard: [fuzzblocker][jsbugmon:update][js:p1:fx20][leave open] → [fuzzblocker] [js:p1:fx20][leave open] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd277d439d31).
(Reporter)

Comment 10

6 years ago
Unfortunately in changeset cd2eb9705765 I forgot to set dvander as the author of the patch, sorry for that.
(Reporter)

Updated

6 years ago
Depends on: 824856
(Reporter)

Updated

6 years ago
Depends on: 828019
(Reporter)

Comment 11

5 years ago
dvander is unlikely to be working on this in the future.
Assignee: dvander → nobody
Status: ASSIGNED → NEW
(Reporter)

Updated

5 years ago
QA Contact: general
Keywords: leave-open
Whiteboard: [fuzzblocker] [js:p1:fx20][leave open] [jsbugmon:update,ignore] → [fuzzblocker] [js:p1] [jsbugmon:update,ignore]
I don't see a good reason to leave this open, anymore. The crash is fixed and we haven't seen any obvious regressions caused by the new behavior.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Keywords: leave-open
Resolution: --- → FIXED
Assignee: nobody → dvander
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.