Closed Bug 1168667 Opened 6 years ago Closed 6 years ago

Assertion failure: obj->as<NativeObject>().getDenseCapacity() == 0, at jsobj.cpp

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla41
Tracking Status
firefox41 --- fixed

People

(Reporter: gkw, Assigned: bhackett1024)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

for each(var x in [{n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1},
                   {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1},
                   {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}]) {
    x[0] = 0;
    Object.freeze(x);
}

asserts js debug shell on m-c changeset e537a1ba501b with --fuzzing-safe --no-threads --no-ion at Assertion failure: obj->as<NativeObject>().getDenseCapacity() == 0, at jsobj.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r e537a1ba501b

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150517184745" and the hash "f8d7bb0b4f00".
The "bad" changeset has the timestamp "20150517191245" and the hash "322487136b28".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f8d7bb0b4f00&tochange=322487136b28

Brian, is bug 1162199 a likely regressor?
Flags: needinfo?(bhackett1024)
Attached file stack
(lldb) bt 5
* thread #1: tid = 0x7eaff, 0x00000001007d2b1f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::SetIntegrityLevel(cx=<unavailable>, obj=<unavailable>, level=Frozen) + 3055 at jsobj.cpp:920, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001007d2b1f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::SetIntegrityLevel(cx=<unavailable>, obj=<unavailable>, level=Frozen) + 3055 at jsobj.cpp:920
    frame #1: 0x00000001000fbed8 js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`obj_freeze(cx=0x00000001028a5180, argc=<unavailable>, vp=<unavailable>) + 152 at Object.cpp:916
    frame #2: 0x00000001001ebf8f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x00000001028a5180, native=0x00000001000fbe40)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 176 at jscntxtinlines.h:235
    frame #3: 0x00000001001ebedf js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::Invoke(cx=0x00000001028a5180, args=CallArgs at 0x00007fff5fbfe820, construct=<unavailable>) + 447 at Interpreter.cpp:727
    frame #4: 0x0000000100206e7d js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`Interpret(cx=<unavailable>, state=0x00007fff5fbfef58) + 45405 at Interpreter.cpp:2956
(lldb)
Attached patch patchSplinter Review
PreventExtensions needs an early check to convert unboxed objects to their native form.  This patch also generalizes the logic that does these conversion checks outside of UnboxedObject.cpp, since places where we convert unboxed plain objects should also convert unboxed arrays.
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8611471 - Flags: review?(jdemooij)
Comment on attachment 8611471 [details] [diff] [review]
patch

Review of attachment 8611471 [details] [diff] [review]:
-----------------------------------------------------------------

Nice refactoring.
Attachment #8611471 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/43d11044cce3
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in before you can comment on or make changes to this bug.