TI: Assertion failure: numProperties == obj->slotSpan(), at jsinfer.cpp:2790

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following testcase asserts on TI revision bdb2a82cfd16 (run with -j -m -n -a), tested on 64 bit:

function Employee(name, dept) this.name = name || "";
function WorkerBee(name, dept, projs) {
    this.base = Employee
    this.base(name, dept)
}
function Engineer(name, projs, machine) {
    this.base = WorkerBee
    this.base(name, "engineering", projs)
    __proto__["a" + constructor] = 1
}
new Engineer;
After invalidating information about the definite properties in an object, we need to walk the stack to look for any in progress frames that invoke 'new' on the script and rollback their shape according to how far along they are in initialization.  We didn't correctly handle the case where such a 'new' frame had already finished adding the definite properties and had added some more on top (in such cases, don't touch the shape of the frame's new object).

http://hg.mozilla.org/projects/jaegermonkey/rev/51f64eb6313b
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 2

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug658777.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.