Closed Bug 1461167 Opened 7 years ago Closed 7 years ago

Assertion failure: obj->isExtensible() (Can't add new property to non-extensible object), at js/src/vm/Shape.cpp:885

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: gkw, Assigned: jandem)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
9.88 KB, text/plain
Details
Testcase
9.55 KB, text/plain
Details
The following testcase crashes on mozilla-central revision a7461494a7a0 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion): See attachment. Backtrace: #0 0x00005580f9c4cd07 in js::NativeObject::putDataProperty (cx=<optimized out>, cx@entry=0x7fde4d217000, obj=obj@entry=..., id=id@entry=..., attrs=5) at js/src/vm/Shape.cpp:884 #1 0x00005580f9beb267 in AddOrChangeProperty<(IsAddOrChange)1> (desc=..., id=..., obj=..., cx=0x7fde4d217000) at js/src/vm/NativeObject.cpp:1448 #2 js::NativeDefineProperty (cx=<optimized out>, cx@entry=0x7fde4d217000, obj=..., id=id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1874 #3 0x00005580f9b8174e in js::DefineProperty (cx=cx@entry=0x7fde4d217000, obj=..., id=..., desc=..., result=...) at js/src/vm/JSObject.cpp:2823 #4 0x00005580f9b8179b in js::DefineProperty (cx=0x7fde4d217000, obj=..., id=id@entry=..., desc=..., desc@entry=...) at js/src/vm/JSObject.cpp:2812 /snip For detailed crash information, see attachment.
autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b46f3ba0c766 user: Jan de Mooij date: Sat May 12 11:46:51 2018 +0200 summary: Bug 1460381 - Support sealed and non-extensible dense elements on native objects. r=anba Jan, is bug 1460381 a likely regressor?
Blocks: 1460381
Flags: needinfo?(jdemooij)
The testcase wasn't as small as I'd like but it was already getting harder to reproduce as it became smaller.
Follow-up patch for bug 1460381 should fix this; hopefully that will merge to m-c soon. Sorry :/
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → FIXED
Assignee: nobody → jdemooij
status-firefox60: --- → unaffected
status-firefox61: --- → unaffected
status-firefox62: affectedfixed
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → unaffected
Target Milestone: --- → mozilla62
Has Regression Range: yes → no
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: