Closed
Bug 867100
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: false (unexpected jsval type), at ../ion/IonTypes.h:121 or Assertion failure: l.asBits <= JSVAL_SHIFTED_TAG_MAX_DOUBLE, at ../dist/include/js/Value.h:593 with GC
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:reconfirm])
The following testcase asserts on mozilla-central revision 1eb382609c2d (run with --ion-eager):
var addexp = 0;
for ( addpow = 0; addpow < 33; addpow++ ) {
addexp += Math.pow(2, addpow);
ToInt32(addexp);
}
function ToInt32( n ) {
var sign = ( n < 0 ) ? -1 : 1;
n = (sign * Math.floor( Math.abs(n) )) % 5e-324;
for ( p = 30; p >=0; p-- ) {}
}
|
Reporter | |
Comment 1•12 years ago
|
||
I get the second assertion if I replace the for-loop in ToInt32 with a gc:
var addexp = 0;
for ( addpow = 0; addpow < 33; addpow++ ) {
addexp += Math.pow(2, addpow);
ToInt32(addexp);
}
function ToInt32( n ) {
var sign = ( n < 0 ) ? -1 : 1;
n = (sign * Math.floor( Math.abs(n) )) % 5e-324;
gc();
}
Marking this s-s because it seems to involve GC.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•12 years ago
|
||
Also note that the original assertion here was "Assertion failure: (ptrBits & 0x7) == 0" which usually indicates a security problem.
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
||
Comment 5•12 years ago
|
||
Retrying JSBugMon to see if this is still reproduceable.
Whiteboard: [jsbugmon:] → [jsbugmon:update,reconfirm]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,reconfirm] → [jsbugmon:reconfirm]
|
|
Reporter | |
Comment 6•12 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
Reporter | |
Comment 7•12 years ago
|
||
Sorry for the delay. None of the tests above reproduce for me anymore. I'll mark this WFM :)
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(choller)
Resolution: --- → WORKSFORME
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•