Bug 132797

Starting some time in late April (first recorded crash on April 28th), debug bots sometimes hit an assertion on js/primitive-property-access-edge-cases.html: ASSERTION FAILED: numberOfSlotsForLastOffset(m_offset, m_inlineCapacity) == propertyTable->propertyStorageSize() /Volumes/Data/slave/mountainlion-debug/build/Source/JavaScriptCore/runtime/StructureInlines.h(242) : bool JSC::Structure::checkOffsetConsistency() const 1 0x10396d100 WTFCrash 2 0x1031ae13a JSC::Structure::checkOffsetConsistency() const 3 0x1038ed9a3 JSC::Structure::materializePropertyMap(JSC::VM&) 4 0x10326e884 JSC::Structure::materializePropertyMapIfNecessary(JSC::VM&, JSC::DeferGC&) 5 0x1038f0649 JSC::Structure::get(JSC::VM&, JSC::PropertyName, unsigned int&, JSC::JSCell*&) 6 0x1031b006d JSC::JSObject::inlineGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) 7 0x1031a979e JSC::JSObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 8 0x1038df500 JSC::StringObject::getOwnPropertySlot(JSC::JSObject*, JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 9 0x1031b0e74 JSC::JSObject::fastGetOwnPropertySlot(JSC::ExecState*, JSC::VM&, JSC::Structure&, JSC::PropertyName, JSC::PropertySlot&) 10 0x1031b0c1e JSC::JSObject::getPropertySlot(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) 11 0x1031d5e5d JSC::JSValue::get(JSC::ExecState*, JSC::PropertyName, JSC::PropertySlot&) const 12 0x10361bee7 operationGetByIdOptimize http://build.webkit.org/results/Apple%20MountainLion%20Debug%20WK1%20(Tests)/r168592%20(13950)/js/primitive-property-access-edge-cases-crash-log.txt http://webkit-test-results.appspot.com/dashboards/flakiness_dashboard.html#showAllRuns=true&tests=js%2Fprimitive-property-access-edge-cases.html I didn't attempt to reproduce locally.