Closed
Bug 1300193
Opened 8 years ago
Closed 8 years ago
Assertion failure: getDenseCapacity() == 0, at js/src/vm/NativeObject-inl.h:164
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla51
Tracking | Status | |
---|---|---|
firefox51 | --- | fixed |
People
(Reporter: gkw, Assigned: ekleog)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
30.35 KB,
text/plain
|
Details | |
1.52 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d5f20820c805 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = [0]; x.length = 9; Object.freeze(x); x.reverse(); Backtrace: 0 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74df63 js::NativeObject::extendDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 531 (NativeObject-inl.h:164) 1 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74d79b js::NativeObject::ensureDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 587 (NativeObject-inl.h:229) 2 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cda7936 js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)4>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 86 (jsarray.cpp:1366) 3 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cd880fb js::array_reverse(JSContext*, unsigned int, JS::Value*) + 363 (jsarray.cpp:1420) 4 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d5a90cc js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 716 (jscntxtinlines.h:236) /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•8 years ago
|
||
Reporter | ||
Comment 2•8 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f95b25ae990d user: Leo Gaspard date: Mon Aug 29 15:00:35 2016 -0700 summary: Bug 1283334 - Part 1: Do not sparsify dense arrays when freezing - Interpreter. r=jandem Leo, is bug 1283334 a likely regressor?
Blocks: 1283334
Flags: needinfo?(ekleog)
Assignee | ||
Comment 3•8 years ago
|
||
It is, the assertion is too strict here as we no longer enforce frozen objects to be sparse, and I didn't notice it writing bug 1283334.
Assignee: nobody → lgaspard
Status: NEW → ASSIGNED
Flags: needinfo?(ekleog)
Assignee | ||
Comment 4•8 years ago
|
||
Here is a patch that should fix the crash. The assertion relied on the enclosing `if` to assert that elements must be sparse. This patch makes accept frozen objects that have dense elements, as it was the point of bug 1283334.
Attachment #8787793 -
Flags: review?(jdemooij)
Assignee | ||
Updated•8 years ago
|
Assignee | ||
Comment 5•8 years ago
|
||
Try run is available at https://treeherder.mozilla.org/#/jobs?repo=try&revision=ddc13ba3ae31
Updated•8 years ago
|
Attachment #8787793 -
Flags: review?(jdemooij) → review+
Assignee | ||
Updated•8 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba853a36a973 Make existing assertion that no longer holds more flexible. r=jandem
Keywords: checkin-needed
Comment 7•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ba853a36a973
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•