Last Comment Bug 658777 - TI: Assertion failure: numProperties == obj->slotSpan(), at jsinfer.cpp:2790
: TI: Assertion failure: numProperties == obj->slotSpan(), at jsinfer.cpp:2790
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-05-21 05:17 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:05 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-05-21 05:17:07 PDT
The following testcase asserts on TI revision bdb2a82cfd16 (run with -j -m -n -a), tested on 64 bit:

function Employee(name, dept) this.name = name || "";
function WorkerBee(name, dept, projs) {
    this.base = Employee
    this.base(name, dept)
}
function Engineer(name, projs, machine) {
    this.base = WorkerBee
    this.base(name, "engineering", projs)
    __proto__["a" + constructor] = 1
}
new Engineer;
Comment 1 Brian Hackett (:bhackett) 2011-05-21 22:58:48 PDT
After invalidating information about the definite properties in an object, we need to walk the stack to look for any in progress frames that invoke 'new' on the script and rollback their shape according to how far along they are in initialization.  We didn't correctly handle the case where such a 'new' frame had already finished adding the definite properties and had added some more on top (in such cases, don't touch the shape of the frame's new object).

http://hg.mozilla.org/projects/jaegermonkey/rev/51f64eb6313b
Comment 2 Christian Holler (:decoder) 2013-01-14 08:05:18 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug658777.js.

Note You need to log in before you can comment on or make changes to this bug.