Closed Bug 638212 Opened 13 years ago Closed 13 years ago

Assertion failure: js_CheckForStringIndex(ida->vector[n]) == ida->vector[n], at jsapi.cpp:3982

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Test case for shell (run with -m -a)
242 bytes, application/javascript
Details 
The attached shell testcase (run with -m -a) causes the assertion on TM tip.

Found through combined fuzzing (jandem's method fuzzer + LangFuzz).
This seems to have occurred since -a was introduced in TM rev f569d49576bb.
OS: Linux → All
Hardware: x86_64 → All
I cannot reproduce this. A bisect shows this might have been fixed by bug 645184.

The first good revision is:
changeset:   64555:76d04b5e5e75
user:        David Mandelin
date:        Wed Mar 30 16:57:44 2011 -0700
summary:     Bug 645184: normalize id in addprop IC handler, r=dvander

I'll close as WFM.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: