Closed
Bug 1300193
Opened 9 years ago
Closed 9 years ago
Assertion failure: getDenseCapacity() == 0, at js/src/vm/NativeObject-inl.h:164
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: gkw, Assigned: ekleog)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
30.35 KB,
text/plain
|
Details | |
|
1.52 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d5f20820c805 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
x = [0];
x.length = 9;
Object.freeze(x);
x.reverse();
Backtrace:
0 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74df63 js::NativeObject::extendDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 531 (NativeObject-inl.h:164)
1 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74d79b js::NativeObject::ensureDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 587 (NativeObject-inl.h:229)
2 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cda7936 js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)4>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 86 (jsarray.cpp:1366)
3 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cd880fb js::array_reverse(JSContext*, unsigned int, JS::Value*) + 363 (jsarray.cpp:1420)
4 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d5a90cc js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 716 (jscntxtinlines.h:236)
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•9 years ago
|
||
|
|
Reporter | |
Comment 2•9 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/f95b25ae990d
user: Leo Gaspard
date: Mon Aug 29 15:00:35 2016 -0700
summary: Bug 1283334 - Part 1: Do not sparsify dense arrays when freezing - Interpreter. r=jandem
Leo, is bug 1283334 a likely regressor?
Blocks: 1283334
Flags: needinfo?(ekleog)
|
Assignee | |
Comment 3•9 years ago
|
||
It is, the assertion is too strict here as we no longer enforce frozen objects to be sparse, and I didn't notice it writing bug 1283334.
Assignee: nobody → lgaspard
Status: NEW → ASSIGNED
Flags: needinfo?(ekleog)
|
|
Assignee | |
Comment 4•9 years ago
|
||
Here is a patch that should fix the crash. The assertion relied on the enclosing `if` to assert that elements must be sparse. This patch makes accept frozen objects that have dense elements, as it was the point of bug 1283334.
Attachment #8787793 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•9 years ago
|
|
|
Assignee | |
Comment 5•9 years ago
|
||
Try run is available at https://treeherder.mozilla.org/#/jobs?repo=try&revision=ddc13ba3ae31
|
||
Updated•9 years ago
|
Attachment #8787793 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Updated•9 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ba853a36a973
Make existing assertion that no longer holds more flexible. r=jandem
Keywords: checkin-needed
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•