Closed Bug 638212 Opened 14 years ago Closed 14 years ago

Assertion failure: js_CheckForStringIndex(ida->vector[n]) == ida->vector[n], at jsapi.cpp:3982

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Test case for shell (run with -m -a)
242 bytes, application/javascript
Details
The attached shell testcase (run with -m -a) causes the assertion on TM tip. Found through combined fuzzing (jandem's method fuzzer + LangFuzz).
This seems to have occurred since -a was introduced in TM rev f569d49576bb.
OS: Linux → All
Hardware: x86_64 → All
I cannot reproduce this. A bisect shows this might have been fixed by bug 645184. The first good revision is: changeset: 64555:76d04b5e5e75 user: David Mandelin date: Wed Mar 30 16:57:44 2011 -0700 summary: Bug 645184: normalize id in addprop IC handler, r=dvander I'll close as WFM.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: