Closed
Bug 977647
Opened 10 years ago
Closed 10 years ago
Assertion failure: offset + type->size() <= typedObj->size(), at builtin/TypedObject.cpp:1462
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox29 | --- | unaffected |
| firefox30 | --- | fixed |
| firefox-esr24 | --- | unaffected |
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
565 bytes,
text/plain
|
Details | |
|
1.67 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision a98a1d78817f (threadsafe build, run with --fuzzing-safe --thread-count=2):
var { ArrayType, StructType, uint32 } = TypedObject;
var Point = new StructType({x: uint32, y: uint32});
var Points = Point.array();
var points = new Points();
function f() {
points.mapPar(function() {});
}
while(true) { try { f(); } catch(exc1) {} }
|
Reporter | |
Updated•10 years ago
|
status-firefox30:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•10 years ago
|
||
JSBugMon: Bisection requested, result: === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140224144106" and the hash "889a90d8aa11". The "bad" changeset has the timestamp "20140224150007" and the hash "108209641936". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=889a90d8aa11&tochange=108209641936
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → nmatsakis
|
|
Assignee | |
Comment 3•10 years ago
|
||
Attachment #8383730 -
Flags: review?(shu)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8383730 [details] [diff] [review] Bug977647.diff Review of attachment 8383730 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/TypedObject.js @@ +1437,5 @@ > const mode = undefined; > > const outArray = new outArrayType(length); > + if (length == 0) > + return outArray; // that was easy. Nits: === and maybe no cutesy comment? I don't care too much about the cutesy comment though. ::: js/src/jit-test/tests/parallel/bug977647.js @@ +1,2 @@ > +// Check for mapPar() applied to an empty array. > +// Public domain. Wait, why PD?
Attachment #8383730 -
Flags: review?(shu) → review+
|
|
Assignee | |
Comment 5•10 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #4) > Nits: === and maybe no cutesy comment? I don't care too much about the > cutesy comment though. I forgot I left that in there. I'll change to === -- should be equivalent, we know that length is an int at that point, I think. Or maybe not. Whatever. > ::: js/src/jit-test/tests/parallel/bug977647.js > @@ +1,2 @@ > > +// Check for mapPar() applied to an empty array. > > +// Public domain. > > Wait, why PD? Till always tells me to make all tests public domain.
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2cab8c44a9b9
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2cab8c44a9b9
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
|
Reporter | |
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•10 years ago
|
status-firefox29:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•