613452 - "Assertion failure: obj->isExtensible()" with Object.seal, sharps

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

Attachment: stack trace

js> (#1={x:Object.seal(#1#)})

Debug asserts:
Assertion failure: obj->isExtensible(), at jspropertycacheinlines.h:133

Opt behavior seems reasonable:
typein:1: TypeError: ({}) is not extensible


The first bad revision is:
changeset:   441f83a81fb8
user:        Jim Blandy
date:        Tue Sep 21 11:35:30 2010 -0700
summary:     Bug 492845: Implement Object.isSealed, Object.seal. a=jwalden, r=brendan

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Still occurs as of TM changeset 284811f39ca6 on a 32-bit shell on Linux.

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081cbae1 in JS_Assert (s=0x83b9534 "obj->isExtensible()", file=0x83b944c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jspropertycacheinlines.h", ln=133)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsutil.cpp:83
#3  0x08325e9d in js::PropertyCache::testForInit (this=0x840387c, rt=0x84035e8, pc=0x848f0a9 "]", obj=0xf7608048, shapep=0xffffc948, entryp=0xffffc940)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jspropertycacheinlines.h:133
#4  0x0831e106 in js::Interpret (cx=0x8451e78, entryFrame=0xf7790030, inlineCallCount=0, interpMode=JSINTERP_NORMAL)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:5955
#5  0x0810731c in js::RunScript (cx=0x8451e78, script=0x848f020, fp=0xf7790030) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:657
#6  0x08108597 in js::Execute (cx=0x8451e78, chain=0xf7602028, script=0x848f020, prev=0x0, flags=0, result=0xffffd210)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:1023
#7  0x08074871 in JS_ExecuteScript (cx=0x8451e78, obj=0xf7602028, script=0x848f020, rval=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsapi.cpp:4883
#8  0x0804c78b in Process (cx=0x8451e78, obj=0xf7602028, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:548
#9  0x0804d3e5 in ProcessArgs (cx=0x8451e78, obj=0xf7602028, argv=0xffffd418, argc=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:943
#10 0x08056c86 in Shell (cx=0x8451e78, argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5428
#11 0x08056e61 in main (argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5536

Comment 2

[Jason Orendorff [:jorendorff]]

Attachment: v1

The assertion is invalid in the face of sharp variables exposing an object to script ahead of a JSOP_INITPROP on that object.

This moves the assertion someplace safe. I'll try to remember to move it back once sharp variables are removed.

(JSOP_INITPROP/JSOP_INITMETHOD only make a property cache entry if a property is actually added. If the object is inextensible, that can't happen, so the property cache contains no entries for INIT opcodes on inextensible objects.)

Comment 3

[Jason Orendorff [:jorendorff]]

http://hg.mozilla.org/integration/mozilla-inbound/rev/0f6ccf479e10

Comment 4

[Matt Brubeck (:mbrubeck)]

https://hg.mozilla.org/mozilla-central/rev/0f6ccf479e10