This particular special case in js/src/jsarray.cpp seems to be not covered by our test suite: http://searchfox.org/mozilla-central/rev/f54c1723befe6bcc7229f005217d5c681128fcad/js/src/jsarray.cpp#2082 anba made me a test for this that I'll land as part of this bug so we can cover this location better. Filing this bug s-s because it potentially points to a an area of our codebase that lacks the proper testing. We should only unhide this bug if the affected code is unlikely to be s-s or once we landed proper test support.
Comment on attachment 8913242 [details] [diff] [review] bug1403962.patch LGTM!
Attachment #8913242 - Flags: review?(andrebargull) → review+
Might as well land this on Beta too to help the fuzzers.
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
Out of curiosity, how did you conclude that the line was not covered? Looking at https://coveralls.io/builds/14179024/source?filename=js%2Fsrc%2Fjsarray.cpp#L2022 , it seems like it is. But perhaps you're only looking at the coverage from running... jit-tests? jit-tests+jstests? (I'm asking because I'd like to know whether test262 covers that line or not.)
Oh, wait. That coverage report would be from *after* this test landed...
You need to log in before you can comment on or make changes to this bug.