[Webkit-unassigned] [Bug 166846] New: Assertion "SHOULD NEVER BE REACHED" when returning DataView from species constructor in TypedArray#slice

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Mon Jan 9 09:35:20 PST 2017 

https://bugs.webkit.org/show_bug.cgi?id=166846

            Bug ID: 166846
           Summary: Assertion "SHOULD NEVER BE REACHED" when returning
                    DataView from species constructor in TypedArray#slice
    Classification: Unclassified
           Product: WebKit
           Version: WebKit Local Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: andre.bargull at gmail.com

SVN: rev210506
Build with: perl Tools/Scripts/build-jsc --gtk --debug


Executing the following test case leads to this assertion:
---
SHOULD NEVER BE REACHED
../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h(506) : JSC::EncodedJSValue JSC::genericTypedArrayViewProtoFuncSlice(JSC::VM&, JSC::ExecState*) [with ViewClass = JSC::JSGenericTypedArrayView<JSC::Int8Adaptor>; JSC::EncodedJSValue = long int]
1   0x7ffff6d6ab21 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff6d6ab21]
2   0x7ffff6baead3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC35genericTypedArrayViewProtoFuncSliceINS_23JSGenericTypedArrayViewINS_11Int8AdaptorEEEEElRNS_2VMEPNS_9ExecStateE+0x9b8) [0x7ffff6baead3]
3   0x7ffff6b92879 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x2635879) [0x7ffff6b92879]
4   0x7fffaf3ff028 [0x7fffaf3ff028]
---


Test case:
---
var ta = new Int8Array([1, 2, 3, 4]);
ta.constructor = {
    [Symbol.species]: function() {
        return new DataView(ta.buffer);
    }
};
ta.slice(0, 2);
---

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20170109/0dc94a61/attachment.html>

More information about the webkit-unassigned mailing list