Closed Bug 519119 Opened 15 years ago Closed 12 years ago

Assertion failure: newlen + argc == length + argc, at ../jsarray.cpp:2613 - ecma_3/Array/regress-322135-04.js

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: bc, Assigned: Waldo)

References

Details

(Keywords: assertion, regression, testcase) 

ecma_3/Array/regress-322135-04.js shell/browser, linux only?

assertion in debug, crashes opt

regression changeset: 32851:1847cf67118a user: David Mandelin <dmandelin@mozilla.com> date: Wed Sep 23 11:16:30 2009 -0700 summary: Bug 511695: Fix JS warnings in MSVC8, r=brendan

This is an example of a slow test that is/will be missed by normal testing.
Flags: in-testsuite+
2598             if (OBJ_IS_DENSE_ARRAY(cx, obj) &&
                     !js_PrototypeHasIndexedProperties(cx, obj) &&
2599                 !INDEX_TOO_SPARSE(obj, unsigned(newlen + argc))) {
2600                 JS_ASSERT(newlen + argc == length + argc);
2601                 if (!EnsureCapacity(cx, obj, length + argc))
2602                     return JS_FALSE;
2603                 memmove(obj->dslots + argc, obj->dslots,
                             length * sizeof(jsval));
2604                 for (uint32 i = 0; i < argc; i++)
2605                     obj->dslots[i] = JSVAL_HOLE;
2606             } else {

It was intentional that |newlen + argc| be calculated to be a jsdouble; if that number goes outside 2**32 - 1 its index is supposed to be treated as too sparse, but the unsigned cast, I guess, on some compilers, produces a small index that isn't too sparse.
now on mozilla-1.9.2 as well.
Flags: wanted1.9.2?
Assignee: general → jwalden+bmo
This issue has been reported also under 612837, but there with an instant testcase. Since this issue has fixed/resolved as worksforme, this bug should probably get the same state.

The question is though, is this really also on 1.9.x? The implementation seems to be different there and requires movement of the whole array. Can someone with enough RAM maybe try the testcase on 1.9.x?

var a = new Array(4294967295);
a.unshift("foo");
See Also: → 612837
I can't reproduce on this on 1.9.2 or 2.0.0 on 64bit linux with 4G or 32bit linux with 1G which is what this was probably tested with when originally reported. I didn't try to hard on 1.9.1. feel free to wfmit.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: wanted1.9.2?
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.