Closed
Bug 977647
Opened 11 years ago
Closed 11 years ago
Assertion failure: offset + type->size() <= typedObj->size(), at builtin/TypedObject.cpp:1462
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla30
| Tracking | Status | |
|---|---|---|
| firefox29 | --- | unaffected |
| firefox30 | --- | fixed |
| firefox-esr24 | --- | unaffected |
People
(Reporter: decoder, Assigned: nmatsakis)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
565 bytes,
text/plain
|
Details | |
|
1.67 KB,
patch
|
shu
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision a98a1d78817f (threadsafe build, run with --fuzzing-safe --thread-count=2):
var { ArrayType, StructType, uint32 } = TypedObject;
var Point = new StructType({x: uint32, y: uint32});
var Points = Point.array();
var points = new Points();
function f() {
points.mapPar(function() {});
}
while(true) { try { f(); } catch(exc1) {} }
|
Reporter | |
Updated•11 years ago
|
status-firefox30:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20140224144106" and the hash "889a90d8aa11".
The "bad" changeset has the timestamp "20140224150007" and the hash "108209641936".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=889a90d8aa11&tochange=108209641936
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → nmatsakis
|
|
Assignee | |
Comment 3•11 years ago
|
||
Attachment #8383730 -
Flags: review?(shu)
|
||
Comment 4•11 years ago
|
||
Comment on attachment 8383730 [details] [diff] [review]
Bug977647.diff
Review of attachment 8383730 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/builtin/TypedObject.js
@@ +1437,5 @@
> const mode = undefined;
>
> const outArray = new outArrayType(length);
> + if (length == 0)
> + return outArray; // that was easy.
Nits: === and maybe no cutesy comment? I don't care too much about the cutesy comment though.
::: js/src/jit-test/tests/parallel/bug977647.js
@@ +1,2 @@
> +// Check for mapPar() applied to an empty array.
> +// Public domain.
Wait, why PD?
Attachment #8383730 -
Flags: review?(shu) → review+
|
|
Assignee | |
Comment 5•11 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #4)
> Nits: === and maybe no cutesy comment? I don't care too much about the
> cutesy comment though.
I forgot I left that in there. I'll change to === -- should be equivalent, we know that length is an int at that point, I think. Or maybe not. Whatever.
> ::: js/src/jit-test/tests/parallel/bug977647.js
> @@ +1,2 @@
> > +// Check for mapPar() applied to an empty array.
> > +// Public domain.
>
> Wait, why PD?
Till always tells me to make all tests public domain.
|
|
Assignee | |
Comment 6•11 years ago
|
||
|
||
Comment 7•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
status-firefox29:
--- → unaffected
status-firefox-esr24:
--- → unaffected
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•