Closed Bug 642592 Opened 13 years ago Closed 13 years ago

TI: Assertion failure: key.index() >= 0, at ./methodjit/BaseAssembler.h:693

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey) 

The following test case (run with -n -a -m) asserts on TI tip, tested on 64
bit:

var strings = new Array();
strings[0x7fffffff] = string;
Nice, this triggered an integer overflow when generating the hole-setting path for dense arrays (the generated code is, however, unreachable).

http://hg.mozilla.org/projects/jaegermonkey/rev/39ec057f7b17
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
> +  if (id->getValue().toInt32() + 1 < 0)  // watch for overflow in hole paths

Does that work everywhere? Some optimizers assume no integer overflow.
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642592.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.