Created attachment 626404 [details]
Testcase for shell
The attached testcase asserts on ionmonkey revision d5545e6d927b (run with --ion -n).
As discussed with jandem already, the testcase here is highly fragile and might not reproduce easily. It might also be necessary to use --ion-eager.
Created attachment 626462 [details] [diff] [review]
We discussed this a bit on IRC, I don't know the code very well but it seems the assert should use <= instead of <.
If we have the following jumps:
jump 0 - offset 0
jump 1 - offset 16
jump 2 - offset 32
size() -> 48
Then (extendedJumpTable_ + i * SizeOfJumpTableEntry) is 32 for i == 2. In this case size() - SizeOfJumpTableEntry is also 32.
Given that the patch simply changes the assert we're saying there's no possible security bug here, right?
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Given that the patch simply changes the assert we're saying there's no
> possible security bug here, right?
Testcase is too complex to add.