975448 - Assertion failure: offset + size() <= buffer.byteLength(), at builtin/TypedObject.cpp:1418 with GC

Status: RESOLVED DUPLICATE of bug 975456

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision 7010ab83a06e (run with --fuzzing-safe --ion-eager --ion-compile-try-catch):


gczeal(2);
var {StructType, uint32, storage} = TypedObject;
var S = new StructType({f: uint32, g: uint32});
var A = S.array(10);
function readFrom(a) {
  return a[2].f + a[2].g;
}
var a = new A();
neuter(storage(a).buffer);
for (var i = 0; i < 100; i++) {
  try {
    readFrom(a);
  } catch (e) {  }
}

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

Related to TypedObject, needinfo from nmatsakis :)

Comment 3

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/f3ad4ab36594
user:        Nicholas D. Matsakis
date:        Wed Feb 12 15:15:47 2014 -0500
summary:     Bug 898356 Part 5 -- Use ArrayBufferObjects as the "backing store" for a typed object r=sfink

This iteration took 1.007 seconds to run.

Comment 4

[Christian Holler (:decoder)]

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1507f021ac93).

Comment 5

[Niko Matsakis [:nmatsakis]]

Likely a dup of bug 975456