Closed
Bug 582894
Opened 14 years ago
Closed 14 years ago
JM: "Assertion failure: INT_FITS_IN_JSID(i),"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: dvander)
References
Details
(Keywords: assertion, regression, testcase)
Attachments
(1 file)
(deleted),
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
for each(let e in [0x40000000]) {
(0)[e]
}
asserts js debug shell on JM changeset 3700c42a8e82 with -m at Assertion failure: INT_FITS_IN_JSID(i), at ../jsapi.h:368
Comment 1•14 years ago
|
||
Hits a nice corner in the GetElem stub where the id value is 32b wide but the INT_TO_JSID needs to shift it one left. Do we have to test for this high-bit-set condition everywhere we want to convert? There's also ArgSub in StubCalls.cpp and no warning on the APIs that take a jsint and convert to JSID, like JS_GetElement.
CCing lw for his unequaled fatval knowledge!
Comment 2•14 years ago
|
||
Yes, all calls to INT_TO_JSID must dynamically test or statically know that INT_FITS_IN_JSID(i).
Assignee | ||
Comment 3•14 years ago
|
||
Just hit this in real-world code so time to fix. I just duplicated the interpreter case, since they diverged.
Updated•14 years ago
|
Attachment #468199 -
Flags: review?(dmandelin) → review+
Assignee | ||
Comment 4•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 5•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug582894.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•