[ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

({assertion, regression, testcase})

Trunk
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 577363 [details]
stack

a = []
function f(o) {
    o[5] = {}
}
for (var i = 0; i < 20; i++) {
    with(a) f(a)
}

asserts js debug shell on JM changeset 5546f57c9567 with -m at Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),

Doesn't seem to occur with m-c changeset bc48009a6bbb.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80557:13b3669cad6c
user:        Brian Hackett
date:        Mon Nov 21 19:20:39 2011 -0500
summary:     Dense arrays should have numFixedSlots() == 0, regardless of size class. bug 704348
Bogus assert.  It used to be that dense array inline paths tested the incoming object's class, and if that test passed but another failed then an array hole was being accessed.  Now the testing is done based on the object's shape, and dense arrays can have multiple shapes (though the arrays associated with a given parent will almost all have the same shape, except in weird circumstances like the 'with(a)' setting the object's DELEGATE flag.

https://hg.mozilla.org/projects/jaegermonkey/rev/c4832f2d9986
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug705873.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.