Last Comment Bug 699166 - TI: "Assertion failure: hasSlot() && !hasMissingSlot(),"
: TI: "Assertion failure: hasSlot() && !hasMissingSlot(),"
Status: RESOLVED FIXED
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: 630996 684505
  Show dependency treegraph
 
Reported: 2011-11-02 11:40 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 07:50 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.01 KB, patch)
2011-11-09 10:30 PST, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-11-02 11:40:53 PDT
a = "".__proto__
b = uneval().__proto__
for (var i = 0; i < 2; i++) {
    a.__defineSetter__("valueOf", function() {})
    a + ""
    delete b.valueOf
}

asserts js debug shell on JM changeset f951e9151626 without any CLI flags at Assertion failure: hasSlot() && !hasMissingSlot(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   77570:ff51ddfdf5d1
user:        Brian Hackett
date:        Wed Sep 28 15:04:55 2011 -0700
summary:     Remove shape numbers and Shape::slotSpan, factor Shape getter/setter into BaseShape, bug 684505.
Comment 1 Brian Hackett (:bhackett) 2011-11-09 10:29:42 PST
Incorrect fix from bug 698074, HasDataProperty is looking for a slotful native property on an object but did not test the result of nativeLookup correctly.

https://hg.mozilla.org/projects/jaegermonkey/rev/0a4e7fe9b62f
Comment 2 Brian Hackett (:bhackett) 2011-11-09 10:30:27 PST
Created attachment 573249 [details] [diff] [review]
patch
Comment 3 Christian Holler (:decoder) 2013-01-14 07:50:50 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug699166.js.

Note You need to log in before you can comment on or make changes to this bug.