The default bug view has changed. See this FAQ.

"Assertion failure: obj->isExtensible()" with Object.seal, sharps

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla8
All
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 .x+)

Details

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 491791 [details]
stack trace

js> (#1={x:Object.seal(#1#)})

Debug asserts:
Assertion failure: obj->isExtensible(), at jspropertycacheinlines.h:133

Opt behavior seems reasonable:
typein:1: TypeError: ({}) is not extensible


The first bad revision is:
changeset:   441f83a81fb8
user:        Jim Blandy
date:        Tue Sep 21 11:35:30 2010 -0700
summary:     Bug 492845: Implement Object.isSealed, Object.seal. a=jwalden, r=brendan
Still occurs as of TM changeset 284811f39ca6 on a 32-bit shell on Linux.

(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081cbae1 in JS_Assert (s=0x83b9534 "obj->isExtensible()", file=0x83b944c "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jspropertycacheinlines.h", ln=133)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsutil.cpp:83
#3  0x08325e9d in js::PropertyCache::testForInit (this=0x840387c, rt=0x84035e8, pc=0x848f0a9 "]", obj=0xf7608048, shapep=0xffffc948, entryp=0xffffc940)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jspropertycacheinlines.h:133
#4  0x0831e106 in js::Interpret (cx=0x8451e78, entryFrame=0xf7790030, inlineCallCount=0, interpMode=JSINTERP_NORMAL)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:5955
#5  0x0810731c in js::RunScript (cx=0x8451e78, script=0x848f020, fp=0xf7790030) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:657
#6  0x08108597 in js::Execute (cx=0x8451e78, chain=0xf7602028, script=0x848f020, prev=0x0, flags=0, result=0xffffd210)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:1023
#7  0x08074871 in JS_ExecuteScript (cx=0x8451e78, obj=0xf7602028, script=0x848f020, rval=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsapi.cpp:4883
#8  0x0804c78b in Process (cx=0x8451e78, obj=0xf7602028, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:548
#9  0x0804d3e5 in ProcessArgs (cx=0x8451e78, obj=0xf7602028, argv=0xffffd418, argc=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:943
#10 0x08056c86 in Shell (cx=0x8451e78, argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5428
#11 0x08056e61 in main (argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5536
blocking2.0: --- → ?
Keywords: regression
Hardware: x86_64 → All
blocking2.0: ? → .x
(Assignee)

Updated

6 years ago
Assignee: general → jorendorff
(Assignee)

Comment 2

6 years ago
Created attachment 516691 [details] [diff] [review]
v1

The assertion is invalid in the face of sharp variables exposing an object to script ahead of a JSOP_INITPROP on that object.

This moves the assertion someplace safe. I'll try to remember to move it back once sharp variables are removed.

(JSOP_INITPROP/JSOP_INITMETHOD only make a property cache entry if a property is actually added. If the object is inextensible, that can't happen, so the property cache contains no entries for INIT opcodes on inextensible objects.)
Attachment #516691 - Flags: review?(jwalden+bmo)
Attachment #516691 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 3

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/0f6ccf479e10
Whiteboard: [inbound]
https://hg.mozilla.org/mozilla-central/rev/0f6ccf479e10
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Whiteboard: [inbound]
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.