Closed Bug 808478 Opened 8 years ago Closed 7 years ago

"Assertion failure: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition,"

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla20

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker] [js:p1] [jsbugmon:update,ignore])

Attachments

(2 files)

Attached file stack
"h".match(RegExp("()??t()*"))

asserts js debug shell on m-c changeset 2937fd8e35a1 without any CLI arguments at Assertion failure: (&term - term.atom.parenthesesWidth)->inputPosition == term.inputPosition,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   112142:8bf2f8cb5e73
user:        David Anderson
date:        Thu Nov 01 21:35:25 2012 -0700
summary:     Update Yarr to WebKit rev 130234 (bug 740015, r=dmandelin).
Setting fuzzblocker because this is triggered quite often by jsfunfuzz.
dvander, is this a bug in our YARR adaptation, or is this an upstream bug?
Flags: needinfo?(dvander)
dvander, is this a bug in our YARR adaptation, or is this an upstream bug?
Whiteboard: [fuzzblocker][jsbugmon:update] → [fuzzblocker][jsbugmon:update][js:p1:fx20]
Turns out this is upstream. I filed WebKit bug https://bugs.webkit.org/show_bug.cgi?id=104846.
Flags: needinfo?(dvander)
Attached patch a fixSplinter Review
I don't know if we should take this or not, but probably, if it will help fuzzing. It disables the assert, and uses the value which is sensible (I don't think -1 is supposed to leak into inputPosition).
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #691540 - Flags: review?
Attachment #691540 - Flags: review? → review?(sstangl)
Err, ignore the non-Yarr stuff in that patch :)
Attachment #691540 - Flags: review?(sstangl) → review+
dvander mentioned to add [leave open].

https://hg.mozilla.org/integration/mozilla-inbound/rev/cd2eb9705765
Whiteboard: [fuzzblocker][jsbugmon:update][js:p1:fx20] → [fuzzblocker][jsbugmon:update][js:p1:fx20][leave open]
Whiteboard: [fuzzblocker][jsbugmon:update][js:p1:fx20][leave open] → [fuzzblocker] [js:p1:fx20][leave open] [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision dd277d439d31).
Unfortunately in changeset cd2eb9705765 I forgot to set dvander as the author of the patch, sorry for that.
dvander is unlikely to be working on this in the future.
Assignee: dvander → nobody
Status: ASSIGNED → NEW
QA Contact: general
Keywords: leave-open
Whiteboard: [fuzzblocker] [js:p1:fx20][leave open] [jsbugmon:update,ignore] → [fuzzblocker] [js:p1] [jsbugmon:update,ignore]
I don't see a good reason to leave this open, anymore. The crash is fixed and we haven't seen any obvious regressions caused by the new behavior.
Status: NEW → RESOLVED
Closed: 7 years ago
Keywords: leave-open
Resolution: --- → FIXED
Assignee: nobody → dvander
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.