Closed Bug 617745 Opened 9 years ago Closed 9 years ago

Jaegermonkey: Assert isDenseArray() && idx < getDenseArrayInitializedLength()

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86_64
Linux
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Whiteboard: fixed-in-jaegermonkey)

The code

var array1 = ['0']; (new Array(1)).splice(0,0, array1);

causes assertion 

Assertion failure: isDenseArray() && idx < getDenseArrayInitializedLength(), at jsobjinlines.h:335

in the current jaegermonkey tip.
This was a lingering misuse of getDenseArrayCapacity missed by bug 604045.

http://hg.mozilla.org/projects/jaegermonkey/rev/0462de4a8aa1

I searched around and found a few more related to Array.concat

http://hg.mozilla.org/projects/jaegermonkey/rev/eb1b0cc2360c

Thanks!
Whiteboard: fixed-in-jaegermonkey
Blocks: infer-regress
No longer blocks: TypeInference
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
You need to log in before you can comment on or make changes to this bug.