Assertion failure: !denseElementsAreFrozen(), at vm/NativeObject.h:1355
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr78 | --- | unaffected |
| firefox88 | --- | unaffected |
| firefox89 | --- | unaffected |
| firefox90 | --- | verified |
People
(Reporter: decoder, Assigned: evilpies)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 20210519-3557d61e4136 (debug build, run with --fuzzing-safe --no-threads):
a1=[];
a1[16]=1;
Object.freeze(a1);
Object.defineProperty(a1,16,({c:false}));
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556beeaf0 in js::NativeObject::setDenseElementUnchecked(unsigned int, JS::Value const&) ()
#1 0x0000555556f06fd2 in js::NativeObject::removeDenseElementForSparseIndex(unsigned int) ()
#2 0x0000555556ee1586 in bool AddOrChangeProperty<(IsAddOrChange)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, js::PropertyResult*) ()
#3 0x0000555556edf8c2 in js::NativeDefineProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#4 0x0000555556e8f942 in js::DefineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) ()
#5 0x0000555556f76b8a in intrinsic_DefineProperty(JSContext*, unsigned int, JS::Value*) ()
#6 0x0000555556b8bc91 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#18 0x00005555569f7e28 in main ()
rax 0x55555588d374 93824995611508
rbx 0x10 16
rcx 0x555558038af8 93825037208312
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffba40 140737488337472
rsp 0x7fffffffba10 140737488337424
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7fffffffbba0 140737488337824
r13 0x7fffffffbb68 140737488337768
r14 0x1a3e86b00578 28855849977208
r15 0x1a3e86b00578 28855849977208
rip 0x555556beeaf0 <js::NativeObject::setDenseElementUnchecked(unsigned int, JS::Value const&)+352>
=> 0x555556beeaf0 <_ZN2js12NativeObject24setDenseElementUncheckedEjRKN2JS5ValueE+352>: movl $0x54b,0x0
0x555556beeafb <_ZN2js12NativeObject24setDenseElementUncheckedEjRKN2JS5ValueE+363>: callq 0x555556a832fa <abort>
|
Reporter | |
Comment 1•5 years ago
|
||
|
||
Updated•5 years ago
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
I think we should look into removing DefinePropertyIsRedundant and insteading implementing
NativeDefineProperty to be closer to OrdinaryDefineOwnProperty in the spec.
|
||
Comment 4•5 years ago
|
||
Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20210519083222-de62b7dc09b8.
The bug appears to have been introduced in the following build range:
Start: 2cdba28eb8e5dcab3cbe6b38e6e9fda555610bae (20210518095331)
End: 8257bbb07294c7f9d3985eda50edc7d9c96007f1 (20210518102147)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2cdba28eb8e5dcab3cbe6b38e6e9fda555610bae&tochange=8257bbb07294c7f9d3985eda50edc7d9c96007f1
|
||
Comment 5•5 years ago
|
||
| bugherder | ||
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Comment 6•5 years ago
|
||
Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20210519214756-1bbf4362b266.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Description
•