Closed
Bug 352605
Opened 18 years ago
Closed 18 years ago
yield with nested xml-filtering-predicates can still cause assertion failure
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.8.1)
Attachments
(1 file)
|
1.53 KB,
patch
|
jwalden+fxhelp
:
review+
|
Details | Diff | Splinter Review |
Even though bug 350809 is fixed, it is still possible to trigger assertions with *nested* xml filtering predicate operators: js> (function() { <y/>.(<x/>.(false), (yield 3)) })().next() Assertion failure: fp->sp == sp, at jsinterp.c:5765 Perhaps exiting from the inner filtering expression screws with the JSFRAME_FILTERING flag that the patch in bug 350809 relies on?
|
Reporter | |
Comment 1•18 years ago
|
||
In today's Firefox nightly, this testcase doesn't crash. It does fail to throw "yield not yet supported from filtering predicate", of course.
|
Assignee | |
Comment 2•18 years ago
|
||
This is critical only because JS_ASSERT is fatal in debug builds. In release builds it's not so bad, but since the inner filter clears the flag, the outer one may find its rethrown exceptions caught twice by the same catch. /be
|
|
Assignee | |
Comment 3•18 years ago
|
||
Easy fix. /be
|
||
Comment 4•18 years ago
|
||
Comment on attachment 238360 [details] [diff] [review] fix (In reply to comment #3) > Easy fix. Indeed. :-)
Attachment #238360 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 5•18 years ago
|
||
Fixed on trunk. I'm not going to bother the 1.8.1 drivers with this, even though it is zero-risk. Anyone who feels differently may nominate the patch. /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
OS: Mac OS X 10.4 → All
Priority: -- → P3
Hardware: Macintosh → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
|
||
Comment 6•18 years ago
|
||
Checking in regress-352605.js; /cvsroot/mozilla/js/tests/js1_7/geniter/regress-352605.js,v <-- regress-352605.js initial revision: 1.1 done
Flags: in-testsuite+
|
|
||
Comment 7•18 years ago
|
||
"yield not yet supported from filtering predicate" Checking in regress-352605.js; /cvsroot/mozilla/js/tests/js1_7/geniter/regress-352605.js,v <-- regress-352605.js new revision: 1.2; previous revision: 1.1 done verified fixed no assert 1.9 20060914 windows/mac*/linux
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 8•18 years ago
|
||
Fix was needed to merge fix for approved bug 353249. /be
Keywords: fixed1.8.1
|
|
||
Comment 9•18 years ago
|
||
verified fixed 1.8, 1.9 20061002 windows/linux and 1.8 macppc.
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•