Assertion failure: getDenseCapacity() == 0, at js/src/vm/NativeObject-inl.h:164
RESOLVED
FIXED
in Firefox 51
Status
()
People
(Reporter: gkw, Assigned: ekleog)
Tracking
(Blocks: 1 bug, {assertion, jsbugmon, testcase})
Firefox Tracking Flags
(firefox51 fixed)
Details
(Whiteboard: [jsbugmon:update])
Attachments
(2 attachments)
|
30.35 KB,
text/plain
|
Details | |
|
1.52 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d5f20820c805 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = [0]; x.length = 9; Object.freeze(x); x.reverse(); Backtrace: 0 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74df63 js::NativeObject::extendDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 531 (NativeObject-inl.h:164) 1 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74d79b js::NativeObject::ensureDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 587 (NativeObject-inl.h:229) 2 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cda7936 js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)4>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 86 (jsarray.cpp:1366) 3 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cd880fb js::array_reverse(JSContext*, unsigned int, JS::Value*) + 363 (jsarray.cpp:1420) 4 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d5a90cc js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 716 (jscntxtinlines.h:236) /snip For detailed crash information, see attachment.
|
(Reporter) | |
Comment 1•2 years ago
|
||
Created attachment 8787760 [details]
Detailed Crash Information|
|
(Reporter) | |
Comment 2•2 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f95b25ae990d user: Leo Gaspard date: Mon Aug 29 15:00:35 2016 -0700 summary: Bug 1283334 - Part 1: Do not sparsify dense arrays when freezing - Interpreter. r=jandem Leo, is bug 1283334 a likely regressor?
Blocks: 1283334
Flags: needinfo?(ekleog)
|
(Assignee) | |
Comment 3•2 years ago
|
||
It is, the assertion is too strict here as we no longer enforce frozen objects to be sparse, and I didn't notice it writing bug 1283334.
Assignee: nobody → lgaspard
Status: NEW → ASSIGNED
Flags: needinfo?(ekleog)
|
|
(Assignee) | |
Comment 4•2 years ago
|
||
Created attachment 8787793 [details] [diff] [review] freezing-dense-reverse.patch Here is a patch that should fix the crash. The assertion relied on the enclosing `if` to assert that elements must be sparse. This patch makes accept frozen objects that have dense elements, as it was the point of bug 1283334.
Attachment #8787793 -
Flags: review?(jdemooij)
|
|
(Assignee) | |
Updated•2 years ago
|
||
|
|
(Assignee) | |
Comment 5•2 years ago
|
||
Try run is available at https://treeherder.mozilla.org/#/jobs?repo=try&revision=ddc13ba3ae31
|
||
Updated•2 years ago
|
||
Attachment #8787793 -
Flags: review?(jdemooij) → review+
|
|
(Assignee) | |
Updated•2 years ago
|
||
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba853a36a973 Make existing assertion that no longer holds more flexible. r=jandem
Keywords: checkin-needed
|
||
Comment 7•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ba853a36a973
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox51: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•