Closed
Bug 981371
Opened 12 years ago
Closed 12 years ago
Fix an assertion that can never fail
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
People
(Reporter: Ms2ger, Assigned: Ms2ger)
References
Details
Attachments
(1 file)
|
762 bytes,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
JSVAL_IS_OBJECT_IMPL has (in the x64 representation)
MOZ_ASSERT((l.asBits >> JSVAL_TAG_SHIFT) <= JSVAL_SHIFTED_TAG_OBJECT);
with
JSVAL_SHIFTED_TAG_OBJECT = (((uint64_t)JSVAL_TAG_OBJECT) << JSVAL_TAG_SHIFT)
JSVAL_TAG_SHIFT is 47, so we're comparing the 17-bit value (l.asBits >> JSVAL_TAG_SHIFT) to (0x1FFF0 | 0x07) << 47, which is hardly ever going to fail. I assume it was intended to compare the two 17-bit tag values (l.asBits >> JSVAL_TAG_SHIFT) and JSVAL_TAG_OBJECT.
(This assertion dates back to the initial landing of bug 549143.)
Attachment #8388164 -
Flags: review?(luke)
|
||
Comment 1•12 years ago
|
||
Comment on attachment 8388164 [details] [diff] [review]
Patch v1
Hah, thanks. Really, I should have introduced a new
#define JSVAL_MAX_TAG JSVAL_TAG_OBJECT
and then added
JS_ASSERT(JSVAL_TAG_OBJECT == JSVAL_MAX_TAG)
in this function to make the representation dependency explicit. Feel free to do that too, if you'd like.
Attachment #8388164 -
Flags: review?(luke) → review+
|
Assignee | |
Comment 2•12 years ago
|
||
Flags: in-testsuite-
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in
before you can comment on or make changes to this bug.
Description
•