The default bug view has changed. See this FAQ.

Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788

RESOLVED FIXED in mozilla13

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla13
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n -a):


var a = [];
for (let j = 0; j < 5; ++j) {
    a.push(-2 in (a));
}


S-s because this seems to be some length/offset guarding assertion in methodjit, so I'd assume this could go worse than just asserting.
Is this a regression?
Created attachment 593644 [details] [diff] [review]
patch

It looks like this is due to bug 664824, so a recent regression.  An unsigned comparison is being used (as is done for all other uses of guardArrayExtent) so behavior should be correct, I think this assert is bogus.
Assignee: general → bhackett1024
Attachment #593644 - Flags: review?
Group: core-security
Attachment #593644 - Flags: review? → review?(jdemooij)

Updated

5 years ago
Attachment #593644 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/b8252a1c0de6
https://hg.mozilla.org/mozilla-central/rev/b8252a1c0de6
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Reporter)

Comment 5

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.