Closed
Bug 653396
Opened 14 years ago
Closed 14 years ago
JM: Assertion failure: length <= JS_ARGS_LENGTH_MAX, at ./methodjit/MonoIC.cpp:1209
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Assigned: luke)
Details
(Keywords: assertion, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.38 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on TI revision 09cce9915b80 (run with -m -n -a),
tested on 64 bit:
function g(a, b, c, d) {}
function f(a, b, c) {
arguments.length=8.64e15;
g.apply(this, arguments);
}f();
|
||
Comment 1•14 years ago
|
||
This asserts also on the tracemonkey branch with -m -a at revision e2843f43757e.
No longer blocks: infer-regress
Summary: TI: Assertion failure: length <= JS_ARGS_LENGTH_MAX, at ./methodjit/MonoIC.cpp:1209 → JM: Assertion failure: length <= JS_ARGS_LENGTH_MAX, at ./methodjit/MonoIC.cpp:1209
|
Assignee | |
Updated•14 years ago
|
Assignee: general → luke
|
|
Assignee | |
Comment 2•14 years ago
|
||
Oh jeez, lame bug. I think this assert survived from a previous bug where we were erroneously using getArgsInitialLength (where the assert would hold).
Great find!
Attachment #529338 -
Flags: review?(jwalden+bmo)
|
||
Updated•14 years ago
|
Attachment #529338 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 3•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/6bacbf7d220b
|
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 5•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug653396.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•