Bug 132797

Summary: REGRESSION: js/primitive-property-access-edge-cases.html sometimes asserts: numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize()
Product: WebKit Reporter: Alexey Proskuryakov <ap>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: fpizlo, mark.lam
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: Unspecified   
OS: Unspecified   

Description Alexey Proskuryakov 2014-05-10 23:03:51 PDT 
Starting some time in late April (first recorded crash on April 28th), debug bots sometimes hit an assertion on js/primitive-property-access-edge-cases.html:

ASSERTION FAILED: numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize()
/Volumes/Data/slave/mountainlion-debug/build/Source/JavaScriptCore/runtime/StructureInlines.h(242) : bool JSC::Structure::checkOffsetConsistency() const
1   0x10396d100 WTFCrash
2   0x1031ae13a JSC::Structure::checkOffsetConsistency() const
3   0x1038ed9a3 JSC::Structure::materializePropertyMap(JSC::VM&)
4   0x10326e884 JSC::Structure::materializePropertyMapIfNecessary(JSC::VM&, JSC::DeferGC&)
5   0x1038f0649 JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&, JSC::JSCell*&)
6   0x1031b006d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&)
7   0x1031a979e JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
8   0x1038df500 JSC::StringObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
9   0x1031b0e74 JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&)
10  0x1031b0c1e JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&)
11  0x1031d5e5d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const
12  0x10361bee7 operationGetByIdOptimize

http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r168592%20(13950)/js/primitive-property-access-edge-cases-crash-log.txt

http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fprimitive-property-access-edge-cases.html

I didn't attempt to reproduce locally.
Comment 1 Alexey Proskuryakov 2014-05-10 23:06:52 PDT 
Strange that this is a RELEASE_ASSERT, but is only hit on debug bots.