Closed
Bug 698074
Opened 12 years ago
Closed 12 years ago
"Assertion failure: hasSlot() && !hasMissingSlot(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
|
3.58 KB,
text/plain
|
Details |
a = (0).__proto__
b = (0).__proto__
b.__defineSetter__("valueOf", function() {})
a + 8
asserts js debug shell on JM changeset b01eb1ba58ce without any CLI flags at Assertion failure: hasSlot() && !hasMissingSlot(),
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 77570:ff51ddfdf5d1
user: Brian Hackett
date: Wed Sep 28 15:04:55 2011 -0700
summary: Remove shape numbers and Shape::slotSpan, factor Shape getter/setter into BaseShape, bug 684505.
|
Reporter | |
Comment 1•12 years ago
|
||
Related to bug 690396 ? (The testcase there involves yield, which this testcase doesn't.)
|
|
Reporter | |
Updated•12 years ago
|
Keywords: regression
|
|
Reporter | |
Comment 2•12 years ago
|
||
As per decoder's request, this does not reproduce on m-c changeset 1c7e1db3645b.
|
||
Comment 3•12 years ago
|
||
This is a new assertion added under a function called in many places (shape->slot()) so can indicate separate problems. This is a different misuse of shape->slot() than the one in bug 690396. https://hg.mozilla.org/projects/jaegermonkey/rev/c46c6ebe3d19
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 4•11 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•