Closed
Bug 1481032
Opened 6 years ago
Closed 6 years ago
Assertion failure: reqCapacity < oldCapacity, at js/src/vm/NativeObject.cpp:988
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla63
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | unaffected |
| firefox61 | --- | unaffected |
| firefox62 | --- | unaffected |
| firefox63 | --- | fixed |
People
(Reporter: gkw, Assigned: anba)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
8.16 KB,
text/plain
|
Details | |
|
1.79 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 37b33c4f58b9 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
x = [];
x[6] = 0;
Object.preventExtensions(x);
x.length = 1;
Backtrace:
#0 0x000000000191e25f in js::NativeObject::shrinkElements (this=0x7f038c8002c0, cx=0x7f038c917000, reqCapacity=1) at js/src/vm/NativeObject.cpp:988
#1 0x000000000108bb13 in js::ArraySetLength (cx=0x7f038c917000, arr=..., id=..., attrs=4, value=..., result=...) at js/src/builtin/Array.cpp:795
#2 0x0000000001926b78 in js::CallJSSetterOp (cx=<optimized out>, op=0x108c470 <array_length_setter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::ObjectOpResult&)>, result=..., obj=..., id=..., v=...) at js/src/vm/JSContext-inl.h:301
#3 NativeSetExistingDataProperty (cx=<optimized out>, obj=..., shape=..., v=..., result=...) at js/src/vm/NativeObject.cpp:2516
#4 SetExistingProperty (cx=0x7f038c917000, id=..., v=..., receiver=..., pobj=..., prop=..., result=...) at js/src/vm/NativeObject.cpp:2728
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Comment 2•6 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c543368b25a6
user: André Bargull
date: Thu Aug 02 13:03:04 2018 -0700
summary: Bug 1478503: Shrink capacity when modifying length on a non-extensible array. r=jandem
Andre, is bug 1478503 a likely regressor?
Blocks: 1478503
Flags: needinfo?(andrebargull)
|
Assignee | |
Comment 3•6 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2)
> Andre, is bug 1478503 a likely regressor?
Yes, the issue is caused by bug 1478503.
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
|
|
Assignee | |
Comment 4•6 years ago
|
||
Simply overlooked to adjust the call to shrinkElements() in ArraySetLength.
Attachment #8997970 -
Flags: review?(jdemooij)
|
||
Updated•6 years ago
|
Attachment #8997970 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 5•6 years ago
|
||
Try: https://treeherder.mozilla.org/#/jobs?repo=try&revision=495374cf2efd8f47ba02446e22fe0fac6d05c6b7
Keywords: checkin-needed
Pushed by btara@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b20289e44689
Non-extensible arrays are already shrunk to capacity. r=jandem
Keywords: checkin-needed
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
|
||
Updated•6 years ago
|
status-firefox61:
--- → unaffected
status-firefox62:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•