Closed Bug 906024 Opened 11 years ago Closed 11 years ago

Assertion failure: output.type() == MIRType_Int32, at jit/IonCaches.cpp:1024 or Crash [@ ToPrimitive]

Tracking

()

Status:

RESOLVED DUPLICATE of bug 906035

Tracking Flags:

Tracking

Status

firefox25

---

unaffected

firefox26

---

affected

firefox-esr17

---

unaffected

b2g18

---

unaffected

People

(Reporter: decoder, Assigned: efaust)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

[crash-signature] Machine-readable crash signature 11 years ago Christian Holler (:decoder) 1.12 KB, text/plain		Details

Christian Holler (:decoder)

Reporter

Description

•

11 years ago

The following testcase asserts on mozilla-central revision 1ed5a88cd4d0 (run with --fuzzing-safe --ion-eager):


function y() { return "foo,bar"; }
function x() {
  var z = y().split(',');
  for (var i = 0; i < z.length; i++) {}
}
gczeal(2);
Object.prototype.length = function () {};
x();

Christian Holler (:decoder)

Reporter

Comment 1

•

11 years ago

Actually this should be a security-bug because gczeal is involved and we're crashing after confusing some types.

Group: core-security

Crash Signature: [@ ToPrimitive]

Keywords: crash

Whiteboard: [jsbugmon:update,bisect]

Christian Holler (:decoder)

Reporter

Comment 2

•

11 years ago

Attached file [crash-signature] Machine-readable crash signature — Details

Christian Holler (:decoder)

Reporter

Updated

•

11 years ago

Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Christian Holler (:decoder)

Reporter

Comment 3

•

11 years ago

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/42776e928f7b
user:        Eric Faust
date:        Sat Aug 10 22:20:36 2013 -0700
summary:     Bug 902264 - Part 2: Expose Array.length optimization to idempotent GetPropertyICs. (r=jandem)

This iteration took 0.737 seconds to run.

Andrew McCreight [:mccr8]

Comment 4

•

11 years ago

Can you look at this Eric?  Thanks.

Flags: needinfo?(efaustbmo)

Al Billings [:abillings - ex-MoCo]

Updated

•

11 years ago

status-b2g18: --- → unaffected

status-firefox25: --- → unaffected

status-firefox26: --- → affected

status-firefox-esr17: --- → unaffected

tracking-firefox26: --- → +

Andrew McCreight [:mccr8]

Comment 5

•

11 years ago

Over IRC, efaust said this is probably a dupe of something he has an unlanded patch for, so I'm just going to assign it to him, and decoder's robots can confirm this, or something.

Assignee: general → efaustbmo

Flags: needinfo?(efaustbmo)

Eric Faust [:efaust]

Assignee

Comment 6

•

11 years ago

This is indeed a dupe of 906035, with the same assertion.

Status: NEW → RESOLVED

Closed: 11 years ago

Resolution: --- → DUPLICATE

Lukas Blakk [:lsblakk] use ?needinfo

Updated

•

11 years ago

tracking-firefox26: + → ---

BMO Automation

Updated

•

9 years ago

Group: core-security → core-security-release

Daniel Veditz [:dveditz]

Updated

•

8 years ago

Group: core-security-release

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: output.type() == MIRType_Int32, at jit/IonCaches.cpp:1024 or Crash [@ ToPrimitive]

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Assigned: efaust)

References

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type