Bug 52643

Summary: [jsfunfuzz] Assertion in codegen for array of NaN constants
Product: WebKit Reporter: Oliver Hunt <oliver>
Component: JavaScriptCoreAssignee: Oliver Hunt <oliver>
Status: RESOLVED FIXED    
Severity: Normal CC: barraclough, ggaren, jruderman, msaboff
Priority: P2    
Version: 528+ (Nightly build)   
Hardware: PC   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 13638    
Attachments:
Description Flags
Patch koivisto: review+

Description Oliver Hunt 2011-01-18 11:32:44 PST
This asserts when trying to cache values in the number pool
tryItOut("/*p*/for (w in [(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0)]) { (eval = c); }")

I've reduced it to:
[(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0)(0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0), (0/0)]

You can't seem to remove any of the elements, but you can add more elements to the end.
Comment 1 Oliver Hunt 2011-01-18 12:52:48 PST
Created attachment 79312 [details]
Patch
Comment 2 Oliver Hunt 2011-01-18 13:10:15 PST
Committed r76049: <http://trac.webkit.org/changeset/76049>