Closed Bug 1461167 Opened 6 years ago Closed 6 years ago

Assertion failure: obj->isExtensible() (Can't add new property to non-extensible object), at js/src/vm/Shape.cpp:885

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
9.88 KB, text/plain
Details
Testcase
9.55 KB, text/plain
Details 
The following testcase crashes on mozilla-central revision a7461494a7a0 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

See attachment.

Backtrace:

#0  0x00005580f9c4cd07 in js::NativeObject::putDataProperty (cx=<optimized out>, cx@entry=0x7fde4d217000, obj=obj@entry=..., id=id@entry=..., attrs=5) at js/src/vm/Shape.cpp:884
#1  0x00005580f9beb267 in AddOrChangeProperty<(IsAddOrChange)1> (desc=..., id=..., obj=..., cx=0x7fde4d217000) at js/src/vm/NativeObject.cpp:1448
#2  js::NativeDefineProperty (cx=<optimized out>, cx@entry=0x7fde4d217000, obj=..., id=id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1874
#3  0x00005580f9b8174e in js::DefineProperty (cx=cx@entry=0x7fde4d217000, obj=..., id=..., desc=..., result=...) at js/src/vm/JSObject.cpp:2823
#4  0x00005580f9b8179b in js::DefineProperty (cx=0x7fde4d217000, obj=..., id=id@entry=..., desc=..., desc@entry=...) at js/src/vm/JSObject.cpp:2812
/snip

For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/b46f3ba0c766
user:        Jan de Mooij
date:        Sat May 12 11:46:51 2018 +0200
summary:     Bug 1460381 - Support sealed and non-extensible dense elements on native objects. r=anba

Jan, is bug 1460381 a likely regressor?
Blocks: 1460381
Flags: needinfo?(jdemooij)
The testcase wasn't as small as I'd like but it was already getting harder to reproduce as it became smaller.
Follow-up patch for bug 1460381 should fix this; hopefully that will merge to m-c soon. Sorry :/
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Assignee: nobody → jdemooij
status-firefox60: --- → unaffected
status-firefox61: --- → unaffected
status-firefox62: affectedfixed
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → unaffected
Target Milestone: --- → mozilla62
Has Regression Range: yes → no
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: