Bug 166846 - Assertion "SHOULD NEVER BE REACHED" when returning DataView from species constructor in TypedArray#slice
Summary: Assertion "SHOULD NEVER BE REACHED" when returning DataView from species cons...
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: JavaScriptCore (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2017-01-09 09:35 PST by André Bargull
Modified: 2017-01-12 17:28 PST (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description André Bargull 2017-01-09 09:35:20 PST
SVN: rev210506
Build with: perl Tools/Scripts/build-jsc --gtk --debug


Executing the following test case leads to this assertion:
---
SHOULD NEVER BE REACHED
../../Source/JavaScriptCore/runtime/JSGenericTypedArrayViewPrototypeFunctions.h(506) : JSC::EncodedJSValue JSC::genericTypedArrayViewProtoFuncSlice(JSC::VM&, JSC::ExecState*) [with ViewClass = JSC::JSGenericTypedArrayView<JSC::Int8Adaptor>; JSC::EncodedJSValue = long int]
1   0x7ffff6d6ab21 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(WTFCrash+0x1e) [0x7ffff6d6ab21]
2   0x7ffff6baead3 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(_ZN3JSC35genericTypedArrayViewProtoFuncSliceINS_23JSGenericTypedArrayViewINS_11Int8AdaptorEEEEElRNS_2VMEPNS_9ExecStateE+0x9b8) [0x7ffff6baead3]
3   0x7ffff6b92879 /home/andre/svn/webkit/WebKitBuild/Debug/lib/libjavascriptcoregtk-4.0.so.18(+0x2635879) [0x7ffff6b92879]
4   0x7fffaf3ff028 [0x7fffaf3ff028]
---


Test case:
---
var ta = new Int8Array([1, 2, 3, 4]);
ta.constructor = {
    [Symbol.species]: function() {
        return new DataView(ta.buffer);
    }
};
ta.slice(0, 2);
---
Comment 1 Radar WebKit Bug Importer 2017-01-12 17:28:50 PST
<rdar://problem/30005352>