Jaegermonkey: Assert isDenseArray() && idx < getDenseArrayInitializedLength()

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs)

Other Branch
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey)

(Reporter)

Description

8 years ago
The code

var array1 = ['0']; (new Array(1)).splice(0,0, array1);

causes assertion 

Assertion failure: isDenseArray() && idx < getDenseArrayInitializedLength(), at jsobjinlines.h:335

in the current jaegermonkey tip.
(Reporter)

Updated

8 years ago
Blocks: 608741
This was a lingering misuse of getDenseArrayCapacity missed by bug 604045.

http://hg.mozilla.org/projects/jaegermonkey/rev/0462de4a8aa1

I searched around and found a few more related to Array.concat

http://hg.mozilla.org/projects/jaegermonkey/rev/eb1b0cc2360c

Thanks!
Whiteboard: fixed-in-jaegermonkey
Blocks: 619415
No longer blocks: 608741
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Reporter)

Updated

7 years ago
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.