Last Comment Bug 722021 - Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788
: Assertion failure: key.index() >= 0, at methodjit/BaseAssembler.h:788
Status: RESOLVED FIXED
js-triage-needed
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-01-28 02:39 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:35 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (970 bytes, patch)
2012-02-01 16:25 PST, Brian Hackett (:bhackett)
jdemooij: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-01-28 02:39:04 PST
The following test asserts on mozilla-central revision 8a59519e137e (options -m -n -a):


var a = [];
for (let j = 0; j < 5; ++j) {
    a.push(-2 in (a));
}


S-s because this seems to be some length/offset guarding assertion in methodjit, so I'd assume this could go worse than just asserting.
Comment 1 Daniel Veditz [:dveditz] 2012-02-01 15:47:02 PST
Is this a regression?
Comment 2 Brian Hackett (:bhackett) 2012-02-01 16:25:30 PST
Created attachment 593644 [details] [diff] [review]
patch

It looks like this is due to bug 664824, so a recent regression.  An unsigned comparison is being used (as is done for all other uses of guardArrayExtent) so behavior should be correct, I think this assert is bogus.
Comment 3 Brian Hackett (:bhackett) 2012-02-02 16:07:05 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/b8252a1c0de6
Comment 4 Ed Morley [:emorley] 2012-02-03 11:05:51 PST
https://hg.mozilla.org/mozilla-central/rev/b8252a1c0de6
Comment 5 Christian Holler (:decoder) 2013-01-19 14:35:19 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.