Closed Bug 642326 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: obj->slotSpan() <= obj->numSlots(), at jsgc.cpp:2852

Tracking

()

Status:

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Christian Holler (:decoder)

Reporter

Description

•

14 years ago

The following test case (run with -n -a -m) asserts on TI tip (tested on 64 bit): this.__proto__ = []; gczeal(2); gc(); var box = evalcx('lazy');

Brian Hackett [Laid off!]

Comment 1

•

14 years ago

Always make sure that created objects have enough slots to match JSSLOT_FREE(getClass()). http://hg.mozilla.org/projects/jaegermonkey/rev/64a9e21c196a

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Whiteboard: fixed-in-jaegermonkey

Christian Holler (:decoder)

Reporter

Comment 2

•

12 years ago

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642326.js.

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TI: Assertion failure: obj->slotSpan() <= obj->numSlots(), at jsgc.cpp:2852

Categories

(Core :: JavaScript Engine, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2