1057582 - Assertion failure: !ObjectMayHaveExtraIndexedProperties(obj), at jit/VMFunctions.cpp:405

Status: RESOLVED FIXED

(Core :: JavaScript Engine: JIT, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision cd2acc7ab2f8 (run with --no-threads --fuzzing-safe --ion-eager):


Object.defineProperty(Object.prototype, "0", {
    configurable: true
});
delete Object.prototype[0];
function A(a) { this.a = a; }
function B(b) { this.b = b; }
function C(c) {}
function makeArray(n) {
    var classes = [A, B, C];
    var arr = [];
    for (var i = 0; i < n; i++) {
        arr.push(new classes[i % 3](i % 3));
    }
}
var arr = makeArray(30000);

Comment 1

[Christian Holler (:decoder)]

Attachment: [crash-signature] Machine-readable crash signature

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a4877238de09
user:        Jan de Mooij
date:        Thu Aug 21 18:51:40 2014 +0200
summary:     Bug 1056795 - Optimize ArrayPushDense. r=bhackett

This iteration took 623.193 seconds to run.

Comment 3

[Christian Holler (:decoder)]

Needinfo from Jan based on comment 2 :)

Comment 4

[Jan de Mooij [:jandem]]

Attachment: Patch

Bogus assert. ObjectMayHaveExtraIndexedProperties returns true because Object.prototype has obj->indexed() == true. But the type information for the property does not reflect this because it's instantiated after the property has been deleted:

Object.defineProperty(Object.prototype, "0", {configurable: true});
delete Object.prototype[0];

Comment 5

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/68bb8434fbec

Comment 6

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/68bb8434fbec