Last Comment Bug 643847 - "Assertion failure: !entry->vindex,"
: "Assertion failure: !entry->vindex,"
Status: RESOLVED FIXED
js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: 596805 630996
  Show dependency treegraph
 
Reported: 2011-03-22 11:58 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 13:59 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
?


Attachments

Description Gary Kwong [:gkw] [:nth10sd] 2011-03-22 11:58:04 PDT
function f(o) {
  o.constructor = function() {};
}
__proto__.__defineSetter__('constructor',
function(v) {});
f({});
Object.defineProperty(__proto__, 'constructor', {
  writable: true,
});
f({});

asserts js debug shell on TM changeset c811be25eaad without -m nor -j at Assertion failure: entry->vcapTag() == 0

Not the smallest regression window:

http://hg.mozilla.org/tracemonkey/pushloghtml?fromchange=71c0268fb372&tochange=301b97a20042
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-03-22 12:03:34 PDT
Tested on 64-bit shell.
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-03-25 03:23:02 PDT
Testing on 32-bit shell in 64-bit Ubuntu Linux 10.04,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   54587:7ef107ab081e
user:        Brendan Eich
date:        Thu Sep 16 11:56:54 2010 -0700
summary:     Fix shape vs. slot management under putProperty, plus related layering and error reporting fixes (596805, r=jorendorff).

This means the regression window in comment #0 is incorrect.
Comment 3 Gary Kwong [:gkw] [:nth10sd] 2011-12-08 11:59:55 PST
Still occurs in m-c changeset 5c8405e6226e which has now morphed to:

Assertion failure: !entry->vindex,
Comment 4 Christian Holler (:decoder) 2011-12-08 12:02:36 PST
Could be a duplicate of bug 637202.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2011-12-31 19:33:10 PST
Fixed by bug 713944.

https://hg.mozilla.org/mozilla-central/rev/a258a0b2d9e4
Comment 6 Christian Holler (:decoder) 2013-01-19 13:59:22 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.