Closed Bug 705873 Opened 8 years ago Closed 8 years ago

[ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

Attached file stack
a = []
function f(o) {
    o[5] = {}
}
for (var i = 0; i < 20; i++) {
    with(a) f(a)
}

asserts js debug shell on JM changeset 5546f57c9567 with -m at Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),

Doesn't seem to occur with m-c changeset bc48009a6bbb.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80557:13b3669cad6c
user:        Brian Hackett
date:        Mon Nov 21 19:20:39 2011 -0500
summary:     Dense arrays should have numFixedSlots() == 0, regardless of size class. bug 704348
Bogus assert.  It used to be that dense array inline paths tested the incoming object's class, and if that test passed but another failed then an array hole was being accessed.  Now the testing is done based on the object's shape, and dense arrays can have multiple shapes (though the arrays associated with a given parent will almost all have the same shape, except in weird circumstances like the 'with(a)' setting the object's DELEGATE flag.

https://hg.mozilla.org/projects/jaegermonkey/rev/c4832f2d9986
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug705873.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.