Closed
Bug 969159
Opened 10 years ago
Closed 10 years ago
Assertion failure: offset < size(), at builtin/TypedObject.h:519
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files, 1 obsolete file)
|
621 bytes,
text/plain
|
Details | |
|
2.35 KB,
patch
|
nmatsakis
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 1e9f169c9715 (run with --fuzzing-safe): var AA = TypedObject.uint8.array(0.).array(5); var aa = new AA(); var aa0 = aa[0];
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
Assignee | |
Comment 2•10 years ago
|
||
I think the assertion is probably wrong and should be offset <= size
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8372448 -
Flags: review?(shu)
|
|
Assignee | |
Comment 4•10 years ago
|
||
(Note: not security sensitive)
|
||
Comment 6•10 years ago
|
||
Comment on attachment 8372448 [details] [diff] [review] Bug969159.diff Review of attachment 8372448 [details] [diff] [review]: ----------------------------------------------------------------- As discussed on IRC, add the appropriate assert, namely |offset <= datum->size && offset + derived->size <= datum->size| to attach. r=me for that ::: js/src/builtin/TypedObject.h @@ +518,5 @@ > uint8_t *typedMem(size_t offset) const { > + // It seems a bit surprising that one might request an offset > + // == size(), but it can happen when taking the "address of" a > + // user-sized value. > + JS_ASSERT(offset <= size()); Maybe clarify a bit that this can only really happen when types with size() == 0.
Attachment #8372448 -
Flags: review?(shu) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
More asserts
Attachment #8372448 -
Attachment is obsolete: true
Attachment #8372707 -
Flags: review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a36e37f46ed
|
||
Comment 9•10 years ago
|
||
Backed out in http://hg.mozilla.org/integration/mozilla-inbound/rev/93f2c8487cf7 for giving Valgrind a bellyache, https://tbpl.mozilla.org/php/getParsedLog.php?id=34386000&tree=Mozilla-Inbound and https://tbpl.mozilla.org/php/getParsedLog.php?id=34387371&tree=Mozilla-Inbound
|
|
||
Comment 10•10 years ago
|
||
Relanded in https://hg.mozilla.org/integration/mozilla-inbound/rev/155486b9b85c - thanks for discovering bug 970164 for us!
Assignee: nobody → nmatsakis
|
||
Comment 11•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/155486b9b85c
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
||
Updated•10 years ago
|
QA Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•