Closed
Bug 871857
Opened 12 years ago
Closed 12 years ago
Assertion failure: idx < arrobj->getDenseInitializedLength(), at vm/SelfHosting.cpp:365 or Assertion failure: args[arri].isObject(), at vm/SelfHosting.cpp:356 or Crash [@ js::intrinsic_UnsafeSetElement]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla24
People
(Reporter: decoder, Assigned: till)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][fuzzer-lulz])
Attachments
(2 files, 1 obsolete file)
|
4.24 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
|
1.93 KB,
text/plain
|
Details |
The following testcase asserts on mozilla-central revision 7130e5134a6e (run with --ion-eager):
function addTestCase( d, t ) {}
var UnsafeSetElement = getSelfHostedValue("UnsafeSetElement");
UnsafeSetElement(addTestCase, 1, 0)
|
Reporter | |
Comment 1•12 years ago
|
||
|
|
Reporter | |
Comment 2•12 years ago
|
||
I didn't mark this s-s because I assume the bug cannot be triggered without the "getSelfHostedValue" function which seems to be shell-only. It would still be nice if calling our shell functions would not lead to crashes :)
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•12 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 121211:80a21124ddbd
user: Nicholas D. Matsakis
date: Thu Feb 07 11:34:43 2013 -0800
summary: Bug 807853 - Add (but do not yet use) parallel compilation mode to ion r=dvander,terrence
This iteration took 103.156 seconds to run.
|
||
Comment 4•12 years ago
|
||
getSelfHostedValue exposes super-internal methods with very particular internal requirements. It is absurdly trivial to call many to most to all of those methods and hit asserts or crash. Blacklist the results of getSelfHostedValue so they're never called, please.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WONTFIX
Whiteboard: [jsbugmon:update] → [jsbugmon:update][fuzzer-lulz]
|
|
Reporter | |
Comment 5•12 years ago
|
||
There's no way to blacklist the result of anything in LangFuzz (and it cannot be done). I can delete the function from global but you can still get it back by creating a new global/compartment and I've seen this happening with "trap" for example. It's a bad idea to put such functions into the shell without a way to disable them somehow, imo :)
|
Assignee | |
Comment 6•12 years ago
|
||
Waldo and I talked about this and decided to only expose the function if MOZ_SELFHOSTEDJS is set. That instructs SpiderMonkey to load an external JS file as the self-hosting code instead of using the embedded code. Since the main usecase for getSelfHostedValue is to enable experimentation with self-hosted code without having to recompile, this should work nicely.
Assignee: general → tschneidereit
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
|
|
Assignee | |
Comment 7•12 years ago
|
||
After IRC discussions with nmatsakis, I just removed the only jit-test relying on getSelfHostedValue.
Attachment #750807 -
Flags: review?(jwalden+bmo)
|
|
Reporter | |
Comment 8•12 years ago
|
||
Attachment #749092 -
Attachment is obsolete: true
|
|
||
Updated•12 years ago
|
Attachment #750807 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 9•12 years ago
|
||
Status: REOPENED → ASSIGNED
OS: Linux → All
Hardware: x86 → All
|
||
Comment 10•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago → 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
You need to log in
before you can comment on or make changes to this bug.
Description
•