Status: Accepted
Owner: [email protected]
CC: [email protected]
Labels: Type-Bug Priority-Medium
New issue 2055 by [email protected]: Assertion in
JSObject::TransitionElementsKind hit
http://code.google.com/p/v8/issues/detail?id=2055
The V8 language fuzzer hit the following assertion. It is not the fuzzed
code, but the language fuzzer itself that crashes.
#
# Fatal error in src/objects.cc, line 9712
# unreachable code
#
By adding an additional assertion in Runtime_StoreArrayLiteralElement I was
able to narrow it down to a boilerplate which has been transitioned before
the cloned object itself.
#
# Fatal error in ../src/runtime.cc, line 4677
# CHECK(elements_kind == boilerplate_object->GetElementsKind()) failed
#
(gdb) p elements_kind
$1 = v8::internal::FAST_SMI_ONLY_ELEMENTS
(gdb) p boilerplate_object->GetElementsKind()
$2 = v8::internal::FAST_ELEMENTS
--
v8-dev mailing list
[email protected]
http://groups.google.com/group/v8-dev
