TI: Assertion failure: v.isObject(), at jsnum.cpp:1308

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
The following testcase asserts on TI revision 4dff743ec04d (run with -j -m -n -a), tested on 64 bit:


var SECTION = "15.4.5.2-2";
addCase(new Array, 0, Math, Math.pow(2, SECTION));
var arg = "", i = 0;
var a = eval("new Array(" + arg + ")");
addCase(a, i, +i + 1, Math.pow(2, 12) + i + 1, true);
function addCase(object, old_len, set_len, new_len, checkitems) {
    for (var i = old_len; i < new_len; i++) if (object[i] != 0) {}
}
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 658211
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Accidental dupe above, the problem here is an incorrectly hoisted bounds check on object[i].  We should only constrain index operations in terms of the loop test when that loop test is definitely on integers, but the filtering for non-integer loop tests was incomplete.

http://hg.mozilla.org/projects/jaegermonkey/rev/bcc2fd5dec1f
Status: REOPENED → RESOLVED
Last Resolved: 6 years ago6 years ago
Resolution: --- → FIXED
(Reporter)

Updated

6 years ago
Blocks: 676763
(Reporter)

Comment 3

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug658290.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.