Closed
Bug 1300193
Opened 3 years ago
Closed 3 years ago
Assertion failure: getDenseCapacity() == 0, at js/src/vm/NativeObject-inl.h:164
Categories
(Core :: JavaScript Engine, defect, critical)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: gkw, Assigned: ekleog)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
30.35 KB,
text/plain
|
Details | |
|
1.52 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision d5f20820c805 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = [0]; x.length = 9; Object.freeze(x); x.reverse(); Backtrace: 0 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74df63 js::NativeObject::extendDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 531 (NativeObject-inl.h:164) 1 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d74d79b js::NativeObject::ensureDenseElements(js::ExclusiveContext*, unsigned int, unsigned int) + 587 (NativeObject-inl.h:229) 2 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cda7936 js::DenseElementResult ArrayReverseDenseKernel<(JSValueType)4>(JSContext*, JS::Handle<JSObject*>, unsigned int) + 86 (jsarray.cpp:1366) 3 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010cd880fb js::array_reverse(JSContext*, unsigned int, JS::Value*) + 363 (jsarray.cpp:1420) 4 js-dbg-64-dm-clang-darwin-d5f20820c805 0x000000010d5a90cc js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 716 (jscntxtinlines.h:236) /snip For detailed crash information, see attachment.
|
Reporter | |
Comment 1•3 years ago
|
||
|
|
Reporter | |
Comment 2•3 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/f95b25ae990d user: Leo Gaspard date: Mon Aug 29 15:00:35 2016 -0700 summary: Bug 1283334 - Part 1: Do not sparsify dense arrays when freezing - Interpreter. r=jandem Leo, is bug 1283334 a likely regressor?
Blocks: 1283334
Flags: needinfo?(ekleog)
|
Assignee | |
Comment 3•3 years ago
|
||
It is, the assertion is too strict here as we no longer enforce frozen objects to be sparse, and I didn't notice it writing bug 1283334.
Assignee: nobody → lgaspard
Status: NEW → ASSIGNED
Flags: needinfo?(ekleog)
|
|
Assignee | |
Comment 4•3 years ago
|
||
Here is a patch that should fix the crash. The assertion relied on the enclosing `if` to assert that elements must be sparse. This patch makes accept frozen objects that have dense elements, as it was the point of bug 1283334.
Attachment #8787793 -
Flags: review?(jdemooij)
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 5•3 years ago
|
||
Try run is available at https://treeherder.mozilla.org/#/jobs?repo=try&revision=ddc13ba3ae31
|
||
Updated•3 years ago
|
Attachment #8787793 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Updated•3 years ago
|
Keywords: checkin-needed
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/ba853a36a973 Make existing assertion that no longer holds more flexible. r=jandem
Keywords: checkin-needed
|
||
Comment 7•3 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ba853a36a973
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•