Last Comment Bug 722021 - Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788
: Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-01-28 02:39 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:35 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (970 bytes, patch)
2012-02-01 16:25 PST, Brian Hackett (:bhackett)
jdemooij: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-01-28 02:39:04 PST
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n -a):

var a = [];
for (let j = 0; j < 5; ++j) {
    a.push(-2 in (a));

S-s because this seems to be some length/offset guarding assertion in methodjit, so I'd assume this could go worse than just asserting.
Comment 1 User image Daniel Veditz [:dveditz] 2012-02-01 15:47:02 PST
Is this a regression?
Comment 2 User image Brian Hackett (:bhackett) 2012-02-01 16:25:30 PST
Created attachment 593644 [details] [diff] [review]

It looks like this is due to bug 664824, so a recent regression.  An unsigned comparison is being used (as is done for all other uses of guardArrayExtent) so behavior should be correct, I think this assert is bogus.
Comment 3 User image Brian Hackett (:bhackett) 2012-02-02 16:07:05 PST
Comment 4 User image Ed Morley [:emorley] 2012-02-03 11:05:51 PST
Comment 5 User image Christian Holler (:decoder) 2013-01-19 14:35:19 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.