Closed
Bug 842425
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: JSVAL_IS_DOUBLE_IMPL(l), at js/Value.h:364
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
1.47 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 0acbd06d48a9 (run with --ion-eager):
function g() {
var a = [];
for (var i = 0; i < 10; i++)
a.push(i, 1.5);
for (var i = 0; i < 32 ; i++)
a[i].m = function() {}
}
g();
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 120310:d7dd65663469 user: Brian Hackett date: Tue Jan 29 16:20:03 2013 -0700 summary: Bug 833898 - Allow converting mixed arrays of ints and doubles to uniform doubles, r=jandem. This iteration took 103.268 seconds to run.
|
Assignee | |
Comment 3•11 years ago
|
||
array_push used a path that would add elements to an array without checking if integer elements needed conversion to doubles. This is the only caller of copyDenseElements.
Assignee: general → bhackett1024
Attachment #716186 -
Flags: review?(jdemooij)
|
||
Updated•11 years ago
|
Attachment #716186 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd16203968a5
|
||
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cd16203968a5
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
You need to log in
before you can comment on or make changes to this bug.
Description
•