Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 705873 - [ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),"
: [ObjShrink] "Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializ...
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 630996 704348
  Show dependency treegraph
Reported: 2011-11-28 13:57 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:20 PST (History)
3 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (1.65 KB, text/plain)
2011-11-28 13:57 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description Gary Kwong [:gkw] [:nth10sd] 2011-11-28 13:57:01 PST
Created attachment 577363 [details]

a = []
function f(o) {
    o[5] = {}
for (var i = 0; i < 20; i++) {
    with(a) f(a)

asserts js debug shell on JM changeset 5546f57c9567 with -m at Assertion failure: (jsuint)keyval >= obj->getDenseArrayInitializedLength() || obj->getDenseArrayElement(keyval).isMagic(JS_ARRAY_HOLE),

Doesn't seem to occur with m-c changeset bc48009a6bbb.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   80557:13b3669cad6c
user:        Brian Hackett
date:        Mon Nov 21 19:20:39 2011 -0500
summary:     Dense arrays should have numFixedSlots() == 0, regardless of size class. bug 704348
Comment 1 Brian Hackett (:bhackett) 2011-11-28 18:06:36 PST
Bogus assert.  It used to be that dense array inline paths tested the incoming object's class, and if that test passed but another failed then an array hole was being accessed.  Now the testing is done based on the object's shape, and dense arrays can have multiple shapes (though the arrays associated with a given parent will almost all have the same shape, except in weird circumstances like the 'with(a)' setting the object's DELEGATE flag.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:20:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug705873.js.

Note You need to log in before you can comment on or make changes to this bug.