JM: "Assertion failure: INT_FITS_IN_JSID(i),"

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
8 years ago
6 years ago

People

(Reporter: gkw, Assigned: dvander)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
for each(let e in [0x40000000]) {
    (0)[e]
}

asserts js debug shell on JM changeset 3700c42a8e82 with -m at Assertion failure: INT_FITS_IN_JSID(i), at ../jsapi.h:368
Hits a nice corner in the GetElem stub where the id value is 32b wide but the INT_TO_JSID needs to shift it one left. Do we have to test for this high-bit-set condition everywhere we want to convert? There's also ArgSub in StubCalls.cpp and no warning on the APIs that take a jsint and convert to JSID, like JS_GetElement.

CCing lw for his unequaled fatval knowledge!
Yes, all calls to INT_TO_JSID must dynamically test or statically know that INT_FITS_IN_JSID(i).
Created attachment 468199 [details] [diff] [review]
fix

Just hit this in real-world code so time to fix. I just duplicated the interpreter case, since they diverged.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #468199 - Flags: review?(dmandelin)
Attachment #468199 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/projects/jaegermonkey/rev/d2a13fb923cf
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug582894.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.