Closed Limesss closed 1 year ago
Reproduce: make Debug=1 POC:
function test0() { var c = 4294967295; var ary = Array(); var func2 = function () { ary.pop(); ary.pop(); return 4; }; function func3() { --c ary.reverse(); return func2()+ 1; } ary[c] = 1; ary.splice(0, 0, func2(), func3()); ary.push(2); ary[c] = 0; ary.splice(1, 0, func2(), func3()); ary.push(3); } test0();
Details: ASSERT(jsvIsInt(v)) FAILED AT src/jsvar.c:2035
#2[r1,l2] Name String [1 blocks] "\xFF" #3[r1,l1] Object { #6[r1,l2] Name String [1 blocks] "timers" #7[r2,l0] Array(0) [ ] #8[r1,l2] Name String [1 blocks] "watches" #9[r2,l0] Array(0) [ ] } #11[r1,l2] Name String [1 blocks] "quit" #10[r1,l0] NativeFunction 0x1a99f100 (0) { } #51[r1,l3] Name String [1 blocks] "test0" #52[r1,l1] Function { #53[r1,l2] Name String [1 blocks] "\xFFcod" #56[r1,l2] FlatString [14 blocks] "var c = 4294967295;\r\n var ary = Array();\r\n var func2 = function () {\r\n ary.pop();\r\n ary.pop();\r\n return 4;\r\n };\r\n\r\n function func3() {\r\n --c\r\n ary.reverse();\r\n return func2()+ 1;\r\n }\r\n\r\n ary[c] = 1;\r\n ary.splice(0, 0, func2(), func3());\r\n ary.push(2);\r\n ary[c] = 0;\r\n ary.splice(1, 0, func2(), func3());\r\n ary.push(3);" } #76[r1,l2] Name String [1 blocks] "Array" #75[r1,l0] NativeFunction 0x1a9a2cd1 (17) { }
} EXITING.
Reproduce: make Debug=1 POC:
Details: ASSERT(jsvIsInt(v)) FAILED AT src/jsvar.c:2035
1[r3,l2] Object {
} EXITING.