Created attachment 630785 [details] testcase The attached testcase asserts js debug shell on m-c changeset f918d74f736c without any CLI arguments at Assertion failure: pc == bce->code(top + tableSize),
Unfortunately I was not able to get a bisection in time.
Tested on 64-bit Windows 7.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 95044:699a613bf616 user: Benjamin Peterson date: Sat May 26 09:33:53 2012 -0400 summary: Bug 757676 - Implement JS default parameters. r=jorendorff
Created attachment 636033 [details] [diff] [review] don't let the memory change under us Interesting bug!
The security sensitivity of this bug comes from its potential to write to memory not owned by the JS engine.
Comment on attachment 636033 [details] [diff] [review] don't let the memory change under us [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 757676 User impact if declined: JS can potentially write to random memory Testing completed (on m-c, etc.): Features is well tested by js engine tests. Risk to taking this patch (and alternatives if risky): None; only sane solution really. String or UUID changes made by this patch: None
Comment on attachment 636033 [details] [diff] [review] don't let the memory change under us [Triage Comment] Low risk sg:crit fix for Aurora 15.
Removed checkin-needed for the moment; we should let it bake on inbound / central for at least a few days before landing on aurora.
JSBugMon: This bug has been automatically verified fixed.
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929