Closed Bug 981371 Opened 10 years ago Closed 10 years ago

Fix an assertion that can never fail

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla31

People

(Reporter: Ms2ger, Assigned: Ms2ger)

References

Details

Attachments

(1 file)

Patch v1
762 bytes, patch
luke
: review+
Details | Diff | Splinter Review
Attached patch Patch v1Splinter Review 
JSVAL_IS_OBJECT_IMPL has (in the x64 representation)

MOZ_ASSERT((l.asBits >> JSVAL_TAG_SHIFT) <= JSVAL_SHIFTED_TAG_OBJECT);

with 

JSVAL_SHIFTED_TAG_OBJECT       = (((uint64_t)JSVAL_TAG_OBJECT)     << JSVAL_TAG_SHIFT)

JSVAL_TAG_SHIFT is 47, so we're comparing the 17-bit value (l.asBits >> JSVAL_TAG_SHIFT) to (0x1FFF0 | 0x07) << 47, which is hardly ever going to fail. I assume it was intended to compare the two 17-bit tag values (l.asBits >> JSVAL_TAG_SHIFT) and JSVAL_TAG_OBJECT.

(This assertion dates back to the initial landing of bug 549143.)
Attachment #8388164 - Flags: review?(luke)
Comment on attachment 8388164 [details] [diff] [review]
Patch v1

Hah, thanks.  Really, I should have introduced a new 
  #define JSVAL_MAX_TAG JSVAL_TAG_OBJECT
and then added
  JS_ASSERT(JSVAL_TAG_OBJECT == JSVAL_MAX_TAG)
in this function to make the representation dependency explicit.  Feel free to do that too, if you'd like.
Attachment #8388164 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/281d420eb9b7
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: