Last Comment Bug 657245 - TI: Assertion failure: length <= INT32_MAX, at jsobjinlines.h:452
: TI: Assertion failure: length <= INT32_MAX, at jsobjinlines.h:452
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-05-15 12:50 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:57 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Christian Holler (:decoder) 2011-05-15 12:50:56 PDT 
The following testcase asserts on TI revision 693a36f402ee (can be run without any options), tested on 64 bit:

var length = 4294967295;
var array1 = Array(length);
array1.pop();
Comment 1 Brian Hackett (:bhackett) 2011-05-15 23:37:59 PDT 
Bogus assert, we used setDenseArrayLength in array_pop_dense whose input should fit in an int32 as TI isn't informed if the length overflows an int32 (inference needs to know about arrays whose length may not fit in an int32).  However, in this case the old length was already a uint32 so no update is needed.

http://hg.mozilla.org/projects/jaegermonkey/rev/2649e0f0049f
Comment 2 Christian Holler (:decoder) 2013-01-14 07:57:54 PST 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657245.js.
Note You need to log in before you can comment on or make changes to this bug.