Closed Bug 1811789 Opened 2 years ago Closed 2 years ago

Assertion failure: MOZ_ASSERT(isString()) at include/js/Value.h:924 with --enable-change-by-array-copy

Tracking

()

Status:

RESOLVED FIXED

Milestone:

111 Branch

Tracking Flags:

Tracking

Status

firefox111

---

fixed

People

(Reporter: lukas.bernhard, Assigned: tjc)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Bug 1811789 - Fix order of arguments in TypedArrayWith() r?mgaudet 2 years ago Tim Chevalier (deleted), text/x-phabricator-request		Details

lukas.bernhard

Reporter

Description

•

2 years ago

Steps to reproduce:

The following sample crashes the js shell in JS::Value::toString when invoked as: ./js --fuzzing-safe --enable-change-array-by-copy crash.js
Not setting s-s because this feature is disabled by default.

function f5() { } 

function f0() {
    const v15 = new Uint8Array();
    f5 &&= v15;
    const v17 = new Uint8Array();
    const v16 = wrapWithProto(v17, f5);
    v16.with();
}
f0();

lukas.bernhard

Reporter

Updated

•

2 years ago

Blocks: l11d-js-fuzzing

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

André Bargull [:anba]

Comment 1

•

2 years ago

In this call, "TypedArrayWith" needs to be the last parameter, cf. CallSelfHostedNonGenericMethod.

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

2 years ago

Blocks: 1811054

Severity: -- → S3

Priority: -- → P3

Tim Chevalier

Assignee

Comment 2

•

2 years ago

Attached file Bug 1811789 - Fix order of arguments in TypedArrayWith() r?mgaudet (deleted) — Details

The order of arguments when calling CallTypedArrayMethodIfWrapped() in
the self-hosted TypedArrayWith() function was wrong.

Phabricator Automation

Updated

•

2 years ago

Assignee: nobody → tjc

Attachment #9313902 - Attachment description: WIP: Bug 1811789 - Fix order of arguments in TypedArrayWith() → WIP: Bug 1811789 - Fix order of arguments in TypedArrayWith() r?mgaudet

Status: NEW → ASSIGNED

Phabricator Automation

Updated

•

2 years ago

Attachment #9313902 - Attachment description: WIP: Bug 1811789 - Fix order of arguments in TypedArrayWith() r?mgaudet → Bug 1811789 - Fix order of arguments in TypedArrayWith() r?mgaudet

Pulsebot

Comment 3

•

2 years ago

Pushed by mgaudet@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/e8e7053a70ea Fix order of arguments in TypedArrayWith() r=mgaudet

Noemi Erli[:noemi_erli]

Comment 4

•

2 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/e8e7053a70ea

Status: ASSIGNED → RESOLVED

Closed: 2 years ago

status-firefox111: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → 111 Branch

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

Assertion failure: MOZ_ASSERT(isString()) at include/js/Value.h:924 with --enable-change-by-array-copy

Categories

(Core :: JavaScript Engine, defect, P3)

Tracking

()

People

(Reporter: lukas.bernhard, Assigned: tjc)

References

(Blocks 2 open bugs)

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Comment 1

Updated

Comment 2

Updated

Updated

Comment 3

Comment 4

Attachment

General

Description

File Name

Content Type