Closed
Bug 665273
Opened 14 years ago
Closed 14 years ago
Crash [@ GetElement] or "Assertion failure: index >= 0,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, crash, testcase, Whiteboard: [ccbr])
Crash Data
Attachments
(1 file)
|
4.90 KB,
text/plain
|
Details |
(Array(2415838199)).reduceRight(function(){})
crashes js opt shell on JM changeset 9ff00d53b5a5 without any CLI arguments at GetElement and asserts js debug shell at Assertion failure: index >= 0,
May be related to bug 663468 or bug 664009 ?
|
Reporter | |
Comment 1•14 years ago
|
||
Also reproduces on TM changeset e59b1d2a2f79.
|
|
Reporter | |
Comment 2•14 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 26356:7f7722d3a2dc
user: Jeff Walden
date: Mon Jan 12 13:07:48 2009 -0800
summary: Bug 465980 - Some array methods don't work right on ginormous arrays. r=brendan
Blocks: 465980
|
||
Comment 3•14 years ago
|
||
I didn't land the fix for bug 664009 in TM, only in m-c and a bunch of beta and release branches. I'm pretty sure this goes away with a m-c->TM merge.
|
||
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•14 years ago
|
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
|
|
||
Comment 6•14 years ago
|
||
sorry for the noise.
|
|
Reporter | |
Comment 7•14 years ago
|
||
(In reply to comment #3)
> I didn't land the fix for bug 664009 in TM, only in m-c and a bunch of beta
> and release branches. I'm pretty sure this goes away with a m-c->TM merge.
Confirmed to be fixed in a later TM changeset 0428dbdf3d58.
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•