x = []; x.a = 0; x.__proto__ = Object.defineProperty([, 1], 2, {}); for (var z in x) {}; asserts js debug shell on m-c changeset 4e164269cf88 with --fuzzing-safe --no-threads --no-ion --no-baseline at Assertion failure: (IdIsIndex(a, &indexA)), at jsiter.cpp Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --disable-threadsafe --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 4e164269cf88 === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151024102235" and the hash "430fb98d29000430e6566c8187413ecca0ff1c0d". The "bad" changeset has the timestamp "20151024120137" and the hash "45dd451ce4ed9ccf912f57ee019b237becfc28b8". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=430fb98d29000430e6566c8187413ecca0ff1c0d&tochange=45dd451ce4ed9ccf912f57ee019b237becfc28b8 Jan, is bug 1175111 a likely regressor? Setting s-s because the testcase involves arrays and this can be scary.

(lldb) bt 5 * thread #1: tid = 0x26344b, 0x000000010054e67e js-dbg-64-dm-darwin-4e164269cf88`SortComparatorIntegerIds(a=<unavailable>, b=<unavailable>, lessOrEqualp=<unavailable>) + 94 at jsiter.cpp:142, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x000000010054e67e js-dbg-64-dm-darwin-4e164269cf88`SortComparatorIntegerIds(a=<unavailable>, b=<unavailable>, lessOrEqualp=<unavailable>) + 94 at jsiter.cpp:142 frame #1: 0x000000010056809b js-dbg-64-dm-darwin-4e164269cf88`bool js::MergeSort<jsid, bool (*)(jsid, jsid, bool*)>(array=0x00007fff5fbfe5a8, nelems=2, scratch=0x00007fff5fbfe288, c=(js-dbg-64-dm-darwin-4e164269cf88`SortComparatorIntegerIds(jsid, jsid, bool*) at jsiter.cpp:140))(jsid, jsid, bool*)) + 123 at Sort.h:100 frame #2: 0x000000010054e2bf js-dbg-64-dm-darwin-4e164269cf88`EnumerateNativeProperties(cx=0x0000000102b45400, pobj=<unavailable>, flags=1, ht=0x00007fff5fbfe480, props=0x00007fff5fbfe568) + 1999 at jsiter.cpp:206 frame #3: 0x0000000100532225 js-dbg-64-dm-darwin-4e164269cf88`Snapshot(cx=0x0000000102b45400, pobj_=<unavailable>, flags=1, props=0x00007fff5fbfe568) + 805 at jsiter.cpp:363 frame #4: 0x0000000100534bc6 js-dbg-64-dm-darwin-4e164269cf88`js::GetIterator(cx=0x0000000102b45400, obj=<unavailable>, flags=1, objp=<unavailable>) + 2134 at jsiter.cpp:862 (lldb)

During reduction, crashes involving SortComparatorIntegerIds sometimes showed up.

Someone please take away my commit access. We can't sort the elements starting at index 0, because the Vector may contain other properties from objects on the prototype.

Elevating this to [fuzzblocker] - I'm increasingly seeing (other variants of) this assertion that may or may not be related.

Comment on attachment 8680194 [details] [diff] [review] Patch Review of attachment 8680194 [details] [diff] [review]: ----------------------------------------------------------------- The worst case here is you get elements in a shuffled order, right? If so, the bug can be opened. But as it's a recent regression, we should backport this to Aurora. Sorry I missed this on review. Ugh.

This also causes: Assertion failure: (IdIsIndex(b, &indexB)), at jsiter.cpp which I've tested to be fixed by the patch.

https://hg.mozilla.org/integration/mozilla-inbound/rev/3a49120fe460 (In reply to Jason Orendorff [:jorendorff] from comment #5) > The worst case here is you get elements in a shuffled order, right? If so, > the bug can be opened. True.

Comment on attachment 8680194 [details] [diff] [review] Patch Approval Request Comment [Feature/regressing bug #]: Bug 1175111. [User impact if declined]: Broken websites or debug builds. [Describe test coverage new/current, TreeHerder]: Fixes the test it adds. [Risks and why]: Very low risk, patch is quite trivial. [String/UUID change made/needed]: None.

removing the b2g 2.5 flag since this commit has been reverted due to an incorrect merge, sorry for the confusion

Gary, could you please verify that this is fixed as expected on a latest Nightly build? Thanks in advance.

Comment on attachment 8680194 [details] [diff] [review] Patch Fixes a recent regression, let's uplift to Aurora44.

(In reply to Ritu Kothari (:ritu) from comment #12) > Gary, could you please verify that this is fixed as expected on a latest > Nightly build? Thanks in advance. Erm, yes again? (usually we just wait for JSBugMon results) A test was also landed. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3a49120fe460 user: Jan de Mooij date: Tue Nov 03 08:34:56 2015 +0100 summary: Bug 1219363 - Fix sort of indexed properties to not include properties already in the Vector. r=jorendorff