Fixed by bug 509075 I believe. Deferring to mrbkap and jorendorff for final confirmation.
We should not assume this is "it". There's never only one cockroach. bhackett says sixgill can find any more statically -- cc'ing him to confirm based on details. /be
Would be cool to write a static analysis that can find the bug in the old code and then see what else it flags. I like it.
I should have reports from sixgill on read overflows of 64-bit quantities (to catch both jsval and js::Value) tomorrow or Friday. The tool is (nearly) sound so will definitely find this bug, the challenge is getting it to reliably identify correct handlers. Will probably need a little iteration to get the right annotations where fast natives are called.
Again, this is already fixed. We should DUP, not block on this one.
This testcase doesn't appear to crash 184.108.40.206pre (on mac anyway). I just repeatedly get the slow-script dialog.
(In reply to comment #5) > Again, this is already fixed. We should DUP, not block on this one. It's got a separate testcase, that appears to have different behavior at least on 1.9.1.x. "Depends on" is better so we don't forget to verify both testcases after the fix.
Do we need this fix on the 1.9.1 branch too?
bug 509075 has been checked in, let's verify that was the fix in an upcoming nightly build.
Can this be marked FIXED since it's fixed on trunk then?
Bug 509075 is now public, so I guess this can be public now too.