Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 651978 - TI+JM: incorrect result with array length
: TI+JM: incorrect result with array length
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress
  Show dependency treegraph
Reported: 2011-04-21 14:47 PDT by Jan de Mooij [:jandem]
Modified: 2011-04-22 11:14 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Jan de Mooij [:jandem] 2011-04-21 14:47:06 PDT
function f() {
    for (var i=0; i<20; i++) {
    var arr = [{}, null];
    var len = arr.length;
    arr[undefined] = 123;
    assertEq(len, 2);
$ ./js -n -m test.js
test.js:7: Error: Assertion failed: got (void 0), expected 2

I thought this was related to array length hoisting but was able to reduce it further. 

After recompiling for the setelem, |len| is restored. The type register has |undefined| tag instead of int32, probably because it was not synced.
Comment 1 Brian Hackett (:bhackett) 2011-04-22 11:14:51 PDT
Same issue as bug 651627, we expected the type tag for arr/len to have been synced at script entry, which the interpreter didn't do.  Fixed by rev 90a7b141e0cf.

Note You need to log in before you can comment on or make changes to this bug.