Last Comment Bug 658777 - TI: Assertion failure: numProperties == obj->slotSpan(), at jsinfer.cpp:2790
: TI: Assertion failure: numProperties == obj->slotSpan(), at jsinfer.cpp:2790
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-21 05:17 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:05 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-05-21 05:17:07 PDT
The following testcase asserts on TI revision bdb2a82cfd16 (run with -j -m -n -a), tested on 64 bit:

function Employee(name, dept) = name || "";
function WorkerBee(name, dept, projs) {
    this.base = Employee
    this.base(name, dept)
function Engineer(name, projs, machine) {
    this.base = WorkerBee
    this.base(name, "engineering", projs)
    __proto__["a" + constructor] = 1
new Engineer;
Comment 1 User image Brian Hackett (:bhackett) 2011-05-21 22:58:48 PDT
After invalidating information about the definite properties in an object, we need to walk the stack to look for any in progress frames that invoke 'new' on the script and rollback their shape according to how far along they are in initialization.  We didn't correctly handle the case where such a 'new' frame had already finished adding the definite properties and had added some more on top (in such cases, don't touch the shape of the frame's new object).
Comment 2 User image Christian Holler (:decoder) 2013-01-14 08:05:18 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug658777.js.

Note You need to log in before you can comment on or make changes to this bug.