[Webkit-unassigned] [Bug 132797] New: REGRESSION: js/primitive-property-access-edge-cases.html sometimes asserts: numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize()

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Sat May 10 23:03:33 PDT 2014 

https://bugs.webkit.org/show_bug.cgi?id=132797

           Summary: REGRESSION:
                    js/primitive-property-access-edge-cases.html sometimes
                    asserts: numberOfSlotsForLastOffset(m_offset,
                    m_inlineCapacity) ==
                    propertyTable->propertyStorageSize()
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: Unspecified
        OS/Version: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: ap at webkit.org
                CC: fpizlo at apple.com, mark.lam at apple.com


Starting some time in late April (first recorded crash on April 28th), debug bots sometimes hit an assertion on js/primitive-property-access-edge-cases.html:

ASSERTION FAILED: numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize()
/Volumes/Data/slave/mountainlion-debug/build/Source/JavaScriptCore/runtime/StructureInlines.h(242) : bool JSC::Structure::checkOffsetConsistency() const
1   0x10396d100 WTFCrash
2   0x1031ae13a JSC::Structure::checkOffsetConsistency() const
3   0x1038ed9a3 JSC::Structure::materializePropertyMap(JSC::VM&)
4   0x10326e884 JSC::Structure::materializePropertyMapIfNecessary(JSC::VM&, JSC::DeferGC&)
5   0x1038f0649 JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&, JSC::JSCell*&)
6   0x1031b006d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&)
7   0x1031a979e JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
8   0x1038df500 JSC::StringObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
9   0x1031b0e74 JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&)
10  0x1031b0c1e JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
11  0x1031d5e5d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
12  0x10361bee7 operationGetByIdOptimize

http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r168592%20(13950)/js/primitive-property-access-edge-cases-crash-log.txt

http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fprimitive-property-access-edge-cases.html

I didn't attempt to reproduce locally.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list