Assertion failure: obj->uninlinedNonProxyIsExtensible(), at js/src/vm/Shape-inl.h:443
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox-esr78 | --- | unaffected |
| firefox80 | --- | unaffected |
| firefox81 | --- | unaffected |
| firefox82 | --- | wontfix |
| firefox83 | --- | verified |
People
(Reporter: decoder, Assigned: mgaudet)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20200911-b133e2d673e8 (debug build, run with --fuzzing-safe --ion-offthread-compile=off --enable-private-methods):
class OverrideBase {
constructor(o30) {
return o30;
}
};
class A3 extends OverrideBase {
get #m() {}
}
var obj = {};
Object.seal(obj);
new A3(obj);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 js::NativeObject::addAccessorProperty (cx=0x7ffff6047000, obj=..., id=..., getter=0x290f8bb98060, setter=0x0, attrs=48) at js/src/vm/Shape-inl.h:443
#1 0x0000555557056c6e in AddOrChangeProperty<(IsAddOrChange)0> (cx=0x7ffff6047000, obj=obj@entry=..., id=id@entry=..., desc=...) at js/src/vm/NativeObject.cpp:1563
#2 0x0000555557055bc6 in js::NativeDefineProperty (cx=0x7ffff7104540 <_IO_2_1_stderr_>, cx@entry=0x7ffff6047000, obj=obj@entry=..., id=..., id@entry=..., desc_=..., result=...) at js/src/vm/NativeObject.cpp:1870
#3 0x0000555557003415 in js::DefineAccessorProperty (cx=<optimized out>, obj=..., id=..., getter=..., setter=..., attrs=16, result=...) at js/src/vm/JSObject.cpp:2764
#4 0x0000555557003818 in js::DefineAccessorProperty (cx=0x7ffff6047000, obj=..., id=..., getter=..., setter=..., attrs=4160331264) at js/src/vm/JSObject.cpp:2783
#5 0x0000555556cefb2a in InitGetterSetterOperation (cx=cx@entry=0x7ffff6047000, pc=pc@entry=0x7ffff4e73cb6 "Bޥ", obj=obj@entry=..., id=id@entry=..., val=val@entry=...) at js/src/vm/Interpreter.cpp:5275
#6 0x0000555556cefc5f in js::InitElemGetterSetterOperation (cx=0x7ffff6047000, pc=0x7ffff4e73cb6 "Bޥ", obj=obj@entry=..., idval=idval@entry=..., val=val@entry=...) at js/src/vm/Interpreter.cpp:5294
#7 0x0000555556cdb299 in Interpret (cx=0x7ffff7104540 <_IO_2_1_stderr_>, cx@entry=0x7ffff6047000, state=...) at js/src/vm/Interpreter.cpp:3965
[...]
rax 0x55555591f3d3 93824996209619
rbx 0x0 0
rcx 0x5555584dff48 93825042087752
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffb920 140737488337184
rsp 0x7fffffffb8c0 140737488337088
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99e00 140737353719296
r10 0x58 88
r11 0x7ffff6dac7a0 140737334921120
r12 0x7fffffffbe08 140737488338440
r13 0x7fffffffbb68 140737488337768
r14 0x7ffff6047000 140737320873984
r15 0x30 48
rip 0x555556d515c6 <js::NativeObject::addAccessorProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::ObjectOpResult&), unsigned int)+598>
=> 0x555556d515c6 <js::NativeObject::addAccessorProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::ObjectOpResult&), unsigned int)+598>: movl $0x1bb,0x0
0x555556d515d1 <js::NativeObject::addAccessorProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>), bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::ObjectOpResult&), unsigned int)+609>: callq 0x555556be836e <abort()>
|
Reporter | |
Comment 1•4 years ago
|
||
|
Assignee | |
Comment 2•4 years ago
|
||
|
||
Updated•4 years ago
|
|
||
Comment 3•4 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200912092623-6f8fba692420.
The bug appears to have been introduced in the following build range:
Start: e1cf0bdac6b6f3dd22ef30dbc4787e5740c518c0 (20200827163656)
End: ad7e26606d081d3928894ae78193be11e370b393 (20200827163831)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e1cf0bdac6b6f3dd22ef30dbc4787e5740c518c0&tochange=ad7e26606d081d3928894ae78193be11e370b393
|
||
Updated•4 years ago
|
|
||
Updated•4 years ago
|
|
||
Comment 4•4 years ago
|
||
Set release status flags based on info from the regressing bug 1660882
|
||
Comment 6•4 years ago
|
||
| bugherder | ||
|
|
||
Comment 7•4 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200921213612-a5cdfde00f15.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
|
|
||
Comment 8•4 years ago
|
||
The patch landed in nightly and beta is affected.
:mgaudet, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
|
|
Assignee | |
Comment 9•4 years ago
|
||
Setting status-firefox82 to wontfix, as this assertion can only trigger by enabling private methods, which aren't shipping in beta.
Description
•