Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE, at jsval.h:596

RESOLVED DUPLICATE of bug 836138

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 836138
6 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update,testComment=6,ignore])

(Reporter)

Description

6 years ago
The following testcase asserts on mozilla-central revision 21195f52311c (no options required):


for (let i = 0; i != 30; i+=2) {
  i % (5e-324)/2
}
(Reporter)

Comment 1

6 years ago
This doesn't crash in opt-builds but there is possibly something out of range according to the assertion. Marking s-s until this has been checked.
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:]
(Reporter)

Comment 2

6 years ago
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
(Reporter)

Comment 3

6 years ago
I can still reproduce this on tip, I don't know why JSBugMon isn't picking it up. Shells must be configured slightly different.
cc+ Naveed.
What can we do here, are we waiting for jsbugmon bisect?
I cannot reproduce on the revision specified in comment 0 on 64-bit Linux - decoder, perhaps you'd like to manually bisect?
Flags: needinfo?(choller)
(Reporter)

Comment 6

6 years ago
(In reply to Gary Kwong [:gkw] from comment #5)
> I cannot reproduce on the revision specified in comment 0 on 64-bit Linux -
> decoder, perhaps you'd like to manually bisect?

Manual bisection will not work, the bug is very unstable across revisions. I've just reproduced it again on revision 20bbf73921f4 (Linux 64 bit debug build) using this test:


var SECTION = "";
var lfcode = new Array();
lfcode.push("4");
lfcode.push("var result = [];\
function primes(isPrime, n) {\
  var i;\
  var count = 0;\
  var m = 10000<<n;\
  var size = m+31>>5;\
  for (i=0; i<size; i++) isPrime[i] = 0xffffffff;\
  for (i=2; i<m; ((function call() { return 0; } ).n)) \
    for (var j=i+i; j<m; j+=i)\
      result.push(isPrime[j>>5] &= ~(1<<(SECTION)));\
}\
for (var i = 4; i <= 4; i++) {\
  var isPrime = new Array((10000<<i)+31>>5);\
  primes(isPrime, i);\
}\
");
while (true) {
        var file = lfcode.shift(); if (file == undefined) { break; }
    if (file == "evaluate") {
    } else {
        loadFile(file)
    }
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length > 1) {
            switch (lfRunTypeId) {
                case 4: eval("(function() { " + lfVarx + " })();"); break;
            }
        } else if (!isNaN(lfVarx)) {
            lfRunTypeId = parseInt(lfVarx);
        }
    } catch (lfVare) {
    }
}


Can someone confirm this?
Flags: needinfo?(choller)
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:] → [jsbugmon:update,testComment=6]
(Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update,testComment=6] → [jsbugmon:update,testComment=6,ignore]
(Reporter)

Comment 7

6 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a46bc920998d).
Christian, okay to close?
Flags: needinfo?(choller)
(Reporter)

Comment 9

6 years ago
I cannot reproduce this locally on tip. However, the issue has already shown to be unstable across revisions. If someone could just reproduce it on the specified test/revision in comment 6 that would probably help investigating it. It hasn't appeared in fuzzing since then, but it was also a bug that seemed hard to hit.
Flags: needinfo?(choller)
This was fixed by bug 836138
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 836138
(Reporter)

Comment 11

6 years ago
Thanks David for figuring that out :)
Group: core-security
You need to log in before you can comment on or make changes to this bug.