Last Comment Bug 698074 - "Assertion failure: hasSlot() && !hasMissingSlot(),"
: "Assertion failure: hasSlot() && !hasMissingSlot(),"
Status: RESOLVED FIXED
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: 630996 684505
  Show dependency treegraph
 
Reported: 2011-10-28 13:00 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:00 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stack (3.58 KB, text/plain)
2011-10-28 13:00 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-10-28 13:00:09 PDT
Created attachment 570335 [details]
stack

a = (0).__proto__
b = (0).__proto__
b.__defineSetter__("valueOf", function() {})
a + 8

asserts js debug shell on JM changeset b01eb1ba58ce without any CLI flags at Assertion failure: hasSlot() && !hasMissingSlot(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77570:ff51ddfdf5d1
user:        Brian Hackett
date:        Wed Sep 28 15:04:55 2011 -0700
summary:     Remove shape numbers and Shape::slotSpan, factor Shape getter/setter into BaseShape, bug 684505.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2011-10-28 13:46:21 PDT
Related to bug 690396 ? (The testcase there involves yield, which this testcase doesn't.)
Comment 2 Gary Kwong [:gkw] [:nth10sd] 2011-10-28 15:53:38 PDT
As per decoder's request, this does not reproduce on m-c changeset 1c7e1db3645b.
Comment 3 Brian Hackett (:bhackett) 2011-10-29 23:01:59 PDT
This is a new assertion added under a function called in many places (shape->slot()) so can indicate separate problems.  This is a different misuse of shape->slot() than the one in bug 690396.

https://hg.mozilla.org/projects/jaegermonkey/rev/c46c6ebe3d19
Comment 4 Christian Holler (:decoder) 2013-01-19 14:00:14 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.