Closed Bug 1300193 Opened 9 years ago Closed 9 years ago

Assertion failure: getDenseCapacity() == 0, at js/src/vm/NativeObject-inl.h:164

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: gkw, Assigned: ekleog)

References

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision d5f20820c805 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = [0]; x.length = 9; Object.freeze(x); x.reverse(); Backtrace: 0 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74df63 js::NativeObject::extendDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 531 (NativeObject-inl.h:164) 1 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74d79b js::NativeObject::ensureDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 587 (NativeObject-inl.h:229) 2 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cda7936 js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)4>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 86 (jsarray.cpp:1366) 3 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cd880fb js::array_reverse(JSContext*, unsigned int, JS::Value*) + 363 (jsarray.cpp:1420) 4 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d5a90cc js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 716 (jscntxtinlines.h:236) /snip For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f95b25ae990d user: Leo Gaspard date: Mon Aug 29 15:00:35 2016 -0700 summary: Bug 1283334 - Part 1: Do not sparsify dense arrays when freezing - Interpreter. r=jandem Leo, is bug 1283334 a likely regressor?
Blocks: 1283334
Flags: needinfo?(ekleog)
It is, the assertion is too strict here as we no longer enforce frozen objects to be sparse, and I didn't notice it writing bug 1283334.
Assignee: nobody → lgaspard
Status: NEW → ASSIGNED
Flags: needinfo?(ekleog)
Here is a patch that should fix the crash. The assertion relied on the enclosing `if` to assert that elements must be sparse. This patch makes accept frozen objects that have dense elements, as it was the point of bug 1283334.
Attachment #8787793 - Flags: review?(jdemooij)
Blocks: 1297577
OS: Mac OS X → All
Hardware: x86_64 → All
Attachment #8787793 - Flags: review?(jdemooij) → review+
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba853a36a973 Make existing assertion that no longer holds more flexible. r=jandem
Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: