Closed
Bug 1372956
Opened 7 years ago
Closed 7 years ago
Assertion failure: !denseElementsAreFrozen(), at js/src/vm/NativeObject-inl.h:266
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox-esr52 | --- | unaffected |
firefox54 | --- | unaffected |
firefox55 | + | fixed |
firefox56 | + | fixed |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
9.62 KB,
text/plain
|
Details | |
1.43 KB,
patch
|
anba
:
review+
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision da66c4a05fda (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): x = objectEmulatingUndefined(); Array.prototype.push.apply(x, [0]); Object.freeze(x); Array.prototype.unshift.apply(x, [0]); Backtrace: #0 0x00000000005101f0 in js::NativeObject::ensureDenseInitializedLengthNoPackedCheck (this=this@entry=0x7fe06ca002c0, cx=cx@entry=0x7fe06b459000, index=index@entry=1, extra=<optimized out>) at js/src/vm/NativeObject-inl.h:266 #1 0x00000000005103a6 in js::NativeObject::ensureDenseElements (this=0x7fe06ca002c0, cx=0x7fe06b459000, index=1, extra=1) at js/src/vm/NativeObject-inl.h:369 #2 0x00000000004f9f3b in js::array_unshift (cx=0x7fe06b459000, argc=<optimized out>, vp=<optimized out>) at js/src/jsarray.cpp:2508 #3 0x000000000054028f in js::CallJSNative (cx=cx@entry=0x7fe06b459000, native=0x4f9ad0 <js::array_unshift(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #4 0x0000000000535293 in js::InternalCallOrConstruct (cx=cx@entry=0x7fe06b459000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 /snip For detailed crash information, see attachment.
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a5bee800882e user: Jan de Mooij date: Sat May 27 23:39:55 2017 +0200 summary: Bug 1364346 part 1 - Optimize Array.prototype.unshift fast path and use it more. r=anba Jan, is bug 1364346 a likely regressor?
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 3•7 years ago
|
||
unshift's fast path needs to check for frozen elements. This was not a problem before because the fast path was only used for arrays, and frozen elements implies frozen array length which we *did* check.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8878510 -
Flags: review?(andrebargull)
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Jan de Mooij [:jandem] from comment #3) > This was not a problem before because the fast path was only used for > arrays, and frozen elements implies frozen array length which we *did* check. Er, *non-writable* array length, of course.
Assignee | ||
Updated•7 years ago
|
Blocks: 1364346
status-firefox54:
--- → unaffected
status-firefox55:
--- → affected
status-firefox-esr45:
--- → unaffected
status-firefox-esr52:
--- → unaffected
tracking-firefox55:
--- → ?
tracking-firefox56:
--- → ?
Assignee | ||
Comment 6•7 years ago
|
||
Comment on attachment 8878510 [details] [diff] [review] Patch anba seems to be away and I'd like to get these off my plate, so forwarding to evilpie.
Attachment #8878510 -
Flags: review?(andrebargull) → review?(evilpies)
Comment 7•7 years ago
|
||
Comment on attachment 8878510 [details] [diff] [review] Patch Sorry for the late review, LGTM.
Attachment #8878510 -
Flags: review?(evilpies) → review+
Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3d4ec37aba61 Fix unshift fast path to check for frozen elements. r=anba
Assignee | ||
Comment 9•7 years ago
|
||
Comment on attachment 8878510 [details] [diff] [review] Patch Approval Request Comment [Feature/Bug causing the regression]: Bug 1364346. [User impact if declined]: Correctness bugs. [Is this code covered by automated tests?]: Yes. [Has the fix been verified in Nightly?]: Not yet. [Needs manual test from QE? If yes, steps to reproduce]: No. [List of other uplifts needed for the feature/fix]: None. [Is the change risky?]: Low risk. [Why is the change risky/not risky?]: Small/trivial patch. [String changes made/needed]: None.
Attachment #8878510 -
Flags: approval-mozilla-beta?
Comment 10•7 years ago
|
||
Comment on attachment 8878510 [details] [diff] [review] Patch Array.prototype.unshift fix, beta55+
Attachment #8878510 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 11•7 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-beta/rev/13f6c960bb25
Flags: in-testsuite+
Comment 12•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/3d4ec37aba61
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•