1817598 - Assertion failure: idx < getDenseInitializedLength(), at vm/NativeObject.h:601

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[lukas.bernhard]

Steps to reproduce:

On git commit 0e3779abe6ad44feb787a295fbb67bc9fe4e927a the attached sample asserts when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js. Bisecting the issue points to commit 54d824cb31489fb2884e3d23172cdde9808ee5ed related to bug 1816890.

const v2 = this.blackRoot();
v2[1000n] = 1000n;
gc();

#0  0x00005555573be107 in js::NativeObject::getDenseElement (this=0x3f42bd83e138, idx=0)
    at js/src/vm/NativeObject.h:601
#1  0x000055555737013b in TraceRootArrays (trc=0x7ffff743c440, color=js::gc::MarkColor::Black)
    at js/src/shell/js.cpp:801
#2  0x000055555736185e in TraceBlackRoots (trc=0x7ffff743c440, data=0x0)
    at js/src/shell/js.cpp:810
#3  0x00005555584d91c6 in js::gc::GCRuntime::traceEmbeddingBlackRoots (this=0x7ffff7423728, trc=0x7ffff743c440)
    at js/src/gc/RootMarking.cpp:379
#4  0x00005555584d8b69 in js::gc::GCRuntime::traceRuntimeCommon (this=0x7ffff7423728, trc=0x7ffff743c440,
    traceOrMark=js::gc::GCRuntime::MarkRuntime) at js/src/gc/RootMarking.cpp:362
#5  0x00005555584d8701 in js::gc::GCRuntime::traceRuntimeForMajorGC (this=0x7ffff7423728, trc=0x7ffff743c440,
    session=...) at js/src/gc/RootMarking.cpp:242
#6  0x000055555840c679 in js::gc::GCRuntime::beginMarkPhase (this=0x7ffff7423728, session=...)
    at js/src/gc/GC.cpp:2880
#7  0x000055555840fbea in js::gc::GCRuntime::incrementalSlice (this=0x7ffff7423728, budget=...,
    reason=JS::GCReason::API, budgetWasIncreased=false) at js/src/gc/GC.cpp:3614
#8  0x00005555584123b5 in js::gc::GCRuntime::gcCycle (this=0x7ffff7423728, nonincrementalByAPI=true,
    budgetArg=..., reason=JS::GCReason::API) at js/src/gc/GC.cpp:4198
#9  0x0000555558413332 in js::gc::GCRuntime::collect (this=0x7ffff7423728, nonincrementalByAPI=true, budget=...,
    reason=JS::GCReason::API) at js/src/gc/GC.cpp:4386
#10 0x00005555583f2432 in js::gc::GCRuntime::gc (this=0x7ffff7423728, options=JS::GCOptions::Normal,
    reason=JS::GCReason::API) at js/src/gc/GC.cpp:4463
#11 0x000055555846616e in JS::NonIncrementalGC (cx=0x7ffff742f100, options=JS::GCOptions::Normal,
    reason=JS::GCReason::API) at js/src/gc/GCAPI.cpp:297
#12 0x0000555557e39670 in GC (cx=0x7ffff742f100, argc=0, vp=0x7ffff4cf6090)
    at js/src/builtin/TestingFunctions.cpp:705
#13 0x000055555756bd5e in CallJSNative (cx=0x7ffff742f100,
    :Value*)>, reason=js::CallReason::Call, args=...)
    at js/src/vm/Interpreter.cpp:459
#14 0x000055555756b59d in js::InternalCallOrConstruct (cx=0x7ffff742f100, args=..., construct=js::NO_CONSTRUCT,
    reason=js::CallReason::Call) at js/src/vm/Interpreter.cpp:547
#15 0x000055555756c931 in InternalCall (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:614
#16 0x000055555756c6f5 in js::CallFromStack (cx=0x7ffff742f100, args=..., reason=js::CallReason::Call)
    at js/src/vm/Interpreter.cpp:619

Comment 1

[Jon Coppeard (:jonco)]

Attachment: Bug 1817598 - Fix tracing of test root arrays r?sfink

Array::length() includes big int indices which are not resulted by
NativeObject::getDenseElement. The simplest thing to do here is only trace
dense elements.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1816890

Comment 4

[Pulsebot]

Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/901f0bb8825a
Fix tracing of test root arrays r=sfink

Comment 5

[Iulian Moraru]

https://hg.mozilla.org/mozilla-central/rev/901f0bb8825a