// Randomly chosen test: js/src/jit-test/tests/jaeger/testSetElem-NewProto.js var x = {}; Object.defineProperty(x, "1", { set: function (){} }); Array.prototype.__proto__ = x; // jsfunfuzz-generated for (var v of (new Map)) {} asserts js debug shell on m-c changeset 5b54831761b1 with --fuzzing-safe --no-threads --no-baseline --no-ion at Assertion failure: resultPairObj->getDenseInitializedLength() == 2, at builtin/MapObject.cpp Configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 5b54831761b1 === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150731141139" and the hash "91cb27a1be1e". The "bad" changeset has the timestamp "20150731151438" and the hash "51d2109c72dc". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=91cb27a1be1e&tochange=51d2109c72dc Till, is bug 1129313 a likely regressor?

(lldb) bt 5 * thread #1: tid = 0x2a0649, 0x00000001000d48b9 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::MapIteratorObject::next(cx=<unavailable>, mapIterator=<unavailable>, resultPairObj=<unavailable>) + 601 at MapObject.cpp:194, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001000d48b9 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::MapIteratorObject::next(cx=<unavailable>, mapIterator=<unavailable>, resultPairObj=<unavailable>) + 601 at MapObject.cpp:194 frame #1: 0x00000001003189b2 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`intrinsic_GetNextMapEntryForIterator(cx=0x000000010324c400, argc=<unavailable>, vp=0x0000000103510178) + 274 at SelfHosting.cpp:505 frame #2: 0x0000000100234f59 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x000000010324c400, native=0x00000001003188a0)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 209 at jscntxtinlines.h:235 frame #3: 0x0000000100234e88 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`js::Invoke(cx=0x000000010324c400, args=CallArgs at 0x00007fff5fbfdfa0, construct=<unavailable>) + 632 at Interpreter.cpp:811 frame #4: 0x00000001002503e4 js-dbg-64-dm-nsprBuild-darwin-5b54831761b1`Interpret(cx=<unavailable>, state=0x00007fff5fbfe730) + 47444 at Interpreter.cpp:3073 (lldb)

Wow, that's about as much a rookie mistake as it could possibly be :( It's almost as though I didn't know anything about our self-hosting infrastructure ...

url: https://hg.mozilla.org/integration/mozilla-inbound/rev/c6ee8f383e9ee8816e13400591261c68b33cb3dd changeset: c6ee8f383e9ee8816e13400591261c68b33cb3dd user: Till Schneidereit <till@tillschneidereit.net> date: Tue Aug 04 14:58:27 2015 +0200 description: Bug 1190727 - Make initialization of temporary results array resilient against Array.prototype setters in self-hosted Map#next implementation. r=jandem

The pushed patch is slightly different from the one attached here, as discussed on IRC.