Closed Bug 582894 Opened 14 years ago Closed 14 years ago

JM: "Assertion failure: INT_FITS_IN_JSID(i),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dvander)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file)

fix
2.93 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
for each(let e in [0x40000000]) {
    (0)[e]
}

asserts js debug shell on JM changeset 3700c42a8e82 with -m at Assertion failure: INT_FITS_IN_JSID(i), at ../jsapi.h:368
Hits a nice corner in the GetElem stub where the id value is 32b wide but the INT_TO_JSID needs to shift it one left. Do we have to test for this high-bit-set condition everywhere we want to convert? There's also ArgSub in StubCalls.cpp and no warning on the APIs that take a jsint and convert to JSID, like JS_GetElement.

CCing lw for his unequaled fatval knowledge!
Yes, all calls to INT_TO_JSID must dynamically test or statically know that INT_FITS_IN_JSID(i).
Attached patch fixSplinter Review 
Just hit this in real-world code so time to fix. I just duplicated the interpreter case, since they diverged.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #468199 - Flags: review?(dmandelin)
Attachment #468199 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/d2a13fb923cf
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug582894.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: