[Webkit-unassigned] [Bug 158698] New: Assertion in setObjectToStringValue

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jun 13 11:10:11 PDT 2016 

https://bugs.webkit.org/show_bug.cgi?id=158698

            Bug ID: 158698
           Summary: Assertion in setObjectToStringValue
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Keywords: NeedsRadar
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: oliver at apple.com

String coercion triggers an exciting assertion, when i futz with the this object:
(this % (this.__proto__ = Math)) + ""

Produces:
ASSERTION FAILED: conditionSet.hasOneSlotBaseCondition()
/Volumes/Untitled/WebKit/WebKit/Source/JavaScriptCore/runtime/StructureRareData.cpp(129) : void JSC::StructureRareData::setObjectToStringValue(JSC::ExecState *, JSC::VM &, JSC::Structure *, JSC::JSString *, JSC::PropertySlot)
1   0x1041686fd WTFCrash
2   0x103fccbd4 JSC::StructureRareData::setObjectToStringValue(JSC::ExecState*, JSC::VM&, JSC::Structure*, JSC::JSString*, JSC::PropertySlot)
3   0x103e1a70d JSC::Structure::setObjectToStringValue(JSC::ExecState*, JSC::VM&, JSC::JSString*, JSC::PropertySlot)
4   0x103e1a3eb JSC::objectProtoFuncToString(JSC::ExecState*)::$_0::operator()(bool, JSC::PropertySlot&) const
5   0x103e1a1bf std::__1::result_of<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSObject::getPropertySlot<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0>(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&, JSC::objectProtoFuncToString(JSC::ExecState*)::$_0) const
6   0x103e19fcd std::__1::result_of<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0 (bool, JSC::PropertySlot&)>::type JSC::JSObject::getPropertySlot<JSC::objectProtoFuncToString(JSC::ExecState*)::$_0>(JSC::ExecState*, JSC::PropertyName, JSC::objectProtoFuncToString(JSC::ExecState*)::$_0) const
7   0x103e18a6d JSC::objectProtoFuncToString(JSC::ExecState*)
8   0x103d9643a vmEntryToNative

...

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20160613/5d74cc2f/attachment.html>

More information about the webkit-unassigned mailing list