Closed Bug 643847 Opened 15 years ago Closed 14 years ago

"Assertion failure: !entry->vindex,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking-fx --- ?

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)

function f(o) { o.constructor = function() {}; } __proto__.__defineSetter__('constructor', function(v) {}); f({}); Object.defineProperty(__proto__, 'constructor', { writable: true, }); f({}); asserts js debug shell on TM changeset c811be25eaad without -m nor -j at Assertion failure: entry->vcapTag() == 0 Not the smallest regression window: http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=71c0268fb372&tochange=301b97a20042
Tested on 64-bit shell.
Testing on 32-bit shell in 64-bit Ubuntu Linux 10.04, autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54587:7ef107ab081e user: Brendan Eich date: Thu Sep 16 11:56:54 2010 -0700 summary: Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff). This means the regression window in comment #0 is incorrect.
Blocks: 596805
OS: Mac OS X → All
Hardware: x86 → All
blocking-fx: --- → ?
Whiteboard: js-triage-needed
Still occurs in m-c changeset 5c8405e6226e which has now morphed to: Assertion failure: !entry->vindex,
Summary: "Assertion failure: entry->vcapTag() == 0," → "Assertion failure: !entry->vindex,"
Could be a duplicate of bug 637202.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.