Note: There are a few cases of duplicates in user autocompletion which are being worked on.

TI: Assertion failure: length <= INT32_MAX, at jsobjinlines.h:452

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Version:
Trunk
x86_64
Linux
Keywords:
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details
(Reporter)

Description

6 years ago 
The following testcase asserts on TI revision 693a36f402ee (can be run without any options), tested on 64 bit:

var length = 4294967295;
var array1 = Array(length);
array1.pop();

Comment 1

6 years ago 
Bogus assert, we used setDenseArrayLength in array_pop_dense whose input should fit in an int32 as TI isn't informed if the length overflows an int32 (inference needs to know about arrays whose length may not fit in an int32).  However, in this case the old length was already a uint32 so no update is needed.

http://hg.mozilla.org/projects/jaegermonkey/rev/2649e0f0049f
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
 (Reporter)

Updated

6 years ago
Blocks: 676763
 (Reporter)

Comment 2

5 years ago 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657245.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.