Closed Bug 1372956 Opened 3 years ago Closed 3 years ago

Assertion failure: !denseElementsAreFrozen(), at js/src/vm/NativeObject-inl.h:266

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr45 --- unaffected
firefox-esr52 --- unaffected
firefox54 --- unaffected
firefox55 + fixed
firefox56 + fixed

People

(Reporter: gkw, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, jsbugmon, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

The following testcase crashes on mozilla-central revision da66c4a05fda (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

x = objectEmulatingUndefined();
Array.prototype.push.apply(x, [0]);
Object.freeze(x);
Array.prototype.unshift.apply(x, [0]);


Backtrace:

#0  0x00000000005101f0 in js::NativeObject::ensureDenseInitializedLengthNoPackedCheck (this=this@entry=0x7fe06ca002c0, cx=cx@entry=0x7fe06b459000, index=index@entry=1, extra=<optimized out>) at js/src/vm/NativeObject-inl.h:266
#1  0x00000000005103a6 in js::NativeObject::ensureDenseElements (this=0x7fe06ca002c0, cx=0x7fe06b459000, index=1, extra=1) at js/src/vm/NativeObject-inl.h:369
#2  0x00000000004f9f3b in js::array_unshift (cx=0x7fe06b459000, argc=<optimized out>, vp=<optimized out>) at js/src/jsarray.cpp:2508
#3  0x000000000054028f in js::CallJSNative (cx=cx@entry=0x7fe06b459000, native=0x4f9ad0 <js::array_unshift(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#4  0x0000000000535293 in js::InternalCallOrConstruct (cx=cx@entry=0x7fe06b459000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
/snip

For detailed crash information, see attachment.
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a5bee800882e
user:        Jan de Mooij
date:        Sat May 27 23:39:55 2017 +0200
summary:     Bug 1364346 part 1 - Optimize Array.prototype.unshift fast path and use it more. r=anba

Jan, is bug 1364346 a likely regressor?
Flags: needinfo?(jdemooij)
Attached patch PatchSplinter Review
unshift's fast path needs to check for frozen elements.

This was not a problem before because the fast path was only used for arrays, and frozen elements implies frozen array length which we *did* check.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8878510 - Flags: review?(andrebargull)
(In reply to Jan de Mooij [:jandem] from comment #3)
> This was not a problem before because the fast path was only used for
> arrays, and frozen elements implies frozen array length which we *did* check.

Er, *non-writable* array length, of course.
tracking as regression in 55.
Comment on attachment 8878510 [details] [diff] [review]
Patch

anba seems to be away and I'd like to get these off my plate, so forwarding to evilpie.
Attachment #8878510 - Flags: review?(andrebargull) → review?(evilpies)
Comment on attachment 8878510 [details] [diff] [review]
Patch

Sorry for the late review, LGTM.
Attachment #8878510 - Flags: review?(evilpies) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d4ec37aba61
Fix unshift fast path to check for frozen elements. r=anba
Comment on attachment 8878510 [details] [diff] [review]
Patch

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1364346.
[User impact if declined]: Correctness bugs.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Not yet.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: Low risk.
[Why is the change risky/not risky?]: Small/trivial patch.
[String changes made/needed]: None.
Attachment #8878510 - Flags: approval-mozilla-beta?
Comment on attachment 8878510 [details] [diff] [review]
Patch

Array.prototype.unshift fix, beta55+
Attachment #8878510 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/3d4ec37aba61
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.