Closed
Bug 722021
Opened 13 years ago
Closed 13 years ago
Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla13
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
|
970 bytes,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n -a):
var a = [];
for (let j = 0; j < 5; ++j) {
a.push(-2 in (a));
}
S-s because this seems to be some length/offset guarding assertion in methodjit, so I'd assume this could go worse than just asserting.
|
||
Comment 1•13 years ago
|
||
Is this a regression?
|
Assignee | |
Comment 2•13 years ago
|
||
It looks like this is due to bug 664824, so a recent regression. An unsigned comparison is being used (as is done for all other uses of guardArrayExtent) so behavior should be correct, I think this assert is bogus.
Assignee: general → bhackett1024
Attachment #593644 -
Flags: review?
|
|
Assignee | |
Updated•13 years ago
|
Group: core-security
|
|
Assignee | |
Updated•13 years ago
|
Attachment #593644 -
Flags: review? → review?(jdemooij)
|
||
Updated•13 years ago
|
Attachment #593644 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
|
||
Comment 4•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
|
Reporter | |
Comment 5•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•