1168667 - Assertion failure: obj->as<NativeObject>().getDenseCapacity() == 0, at jsobj.cpp

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

for each(var x in [{n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1},
                   {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1},
                   {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}, {n: 1}]) {
    x[0] = 0;
    Object.freeze(x);
}

asserts js debug shell on m-c changeset e537a1ba501b with --fuzzing-safe --no-threads --no-ion at Assertion failure: obj->as<NativeObject>().getDenseCapacity() == 0, at jsobj.cpp.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r e537a1ba501b

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150517184745" and the hash "f8d7bb0b4f00".
The "bad" changeset has the timestamp "20150517191245" and the hash "322487136b28".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f8d7bb0b4f00&tochange=322487136b28

Brian, is bug 1162199 a likely regressor?

Comment 1

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

(lldb) bt 5
* thread #1: tid = 0x7eaff, 0x00000001007d2b1f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::SetIntegrityLevel(cx=<unavailable>, obj=<unavailable>, level=Frozen) + 3055 at jsobj.cpp:920, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x00000001007d2b1f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::SetIntegrityLevel(cx=<unavailable>, obj=<unavailable>, level=Frozen) + 3055 at jsobj.cpp:920
    frame #1: 0x00000001000fbed8 js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`obj_freeze(cx=0x00000001028a5180, argc=<unavailable>, vp=<unavailable>) + 152 at Object.cpp:916
    frame #2: 0x00000001001ebf8f js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x00000001028a5180, native=0x00000001000fbe40)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 176 at jscntxtinlines.h:235
    frame #3: 0x00000001001ebedf js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`js::Invoke(cx=0x00000001028a5180, args=CallArgs at 0x00007fff5fbfe820, construct=<unavailable>) + 447 at Interpreter.cpp:727
    frame #4: 0x0000000100206e7d js-dbg-64-dm-nsprBuild-darwin-e537a1ba501b`Interpret(cx=<unavailable>, state=0x00007fff5fbfef58) + 45405 at Interpreter.cpp:2956
(lldb)

Comment 2

[Brian Hackett [Laid off!]]

Attachment: patch

PreventExtensions needs an early check to convert unboxed objects to their native form.  This patch also generalizes the logic that does these conversion checks outside of UnboxedObject.cpp, since places where we convert unboxed plain objects should also convert unboxed arrays.

Comment 3

[Jan de Mooij [:jandem]]

Comment on attachment 8611471 [details] [diff] [review]
patch

Review of attachment 8611471 [details] [diff] [review]:
-----------------------------------------------------------------

Nice refactoring.

Comment 4

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/43d11044cce3

Comment 5

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/43d11044cce3