Last Comment Bug 658290 - TI: Assertion failure: v.isObject(), at jsnum.cpp:1308
: TI: Assertion failure: v.isObject(), at jsnum.cpp:1308
Status: RESOLVED FIXED
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
:
Mentors:
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
 
Reported: 2011-05-19 08:55 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 07:54 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Christian Holler (:decoder) 2011-05-19 08:55:53 PDT
The following testcase asserts on TI revision 4dff743ec04d (run with -j -m -n -a), tested on 64 bit:


var SECTION = "15.4.5.2-2";
addCase(new Array, 0, Math, Math.pow(2, SECTION));
var arg = "", i = 0;
var a = eval("new Array(" + arg + ")");
addCase(a, i, +i + 1, Math.pow(2, 12) + i + 1, true);
function addCase(object, old_len, set_len, new_len, checkitems) {
    for (var i = old_len; i < new_len; i++) if (object[i] != 0) {}
}
Comment 1 Brian Hackett (:bhackett) 2011-05-19 14:17:33 PDT

*** This bug has been marked as a duplicate of bug 658211 ***
Comment 2 Brian Hackett (:bhackett) 2011-05-19 16:11:09 PDT
Accidental dupe above, the problem here is an incorrectly hoisted bounds check on object[i].  We should only constrain index operations in terms of the loop test when that loop test is definitely on integers, but the filtering for non-integer loop tests was incomplete.

http://hg.mozilla.org/projects/jaegermonkey/rev/bcc2fd5dec1f
Comment 3 Christian Holler (:decoder) 2013-01-14 07:54:35 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/loops/bug658290.js.

Note You need to log in before you can comment on or make changes to this bug.