Closed
Bug 787309
Opened 12 years ago
Closed 12 years ago
IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth)," or "Assertion failure: pcdepth >= nuses,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | unaffected |
| firefox16 | --- | unaffected |
| firefox17 | --- | unaffected |
| firefox18 | --- | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: nbp)
References
Details
(4 keywords, Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00][adv-main18-])
Crash Data
Attachments
(1 file)
|
1.91 KB,
patch
|
nbp
:
review+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #781660 +++
try {
h
} catch (x
if gc()) {} finally {
this.z.z
}
asserts 64-bit js debug shell on IonMonkey changeset 32b7b76d111c with --no-ti.
(function () {
try {} catch (x if true) { } finally {
3(__defineSetter__("x", encodeURIComponent))
}
})()
crashes 64-bit js opt shell on IonMonkey changeset d794f23798f4 without any CLI arguments at ExpressionDecompiler::decompilePC
Spinning this off from bug 781660 comment 4 and bug 781660 comment 5.
|
Reporter | |
Comment 1•12 years ago
|
||
A half-patch is in bug 781660 comment 10.
|
|
Reporter | |
Comment 2•12 years ago
|
||
Also assigning to Nicolas at his request.
|
Assignee | |
Updated•12 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•12 years ago
|
||
Add again this patch to this bug, with the r+ given by luke in Bug 781660, even if the patch by it-self cause more failures as it depends on Bug 787848.
Attachment #660436 -
Flags: review+
|
||
Updated•12 years ago
|
status-firefox15:
--- → unaffected
status-firefox16:
--- → unaffected
status-firefox17:
--- → unaffected
status-firefox18:
--- → affected
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00]
Version: Other Branch → Trunk
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Flags: in-testsuite+
|
|
Reporter | |
Comment 5•12 years ago
|
||
This went to Try previously:
https://tbpl.mozilla.org/?tree=Try&rev=b1ba09d0a184
|
||
Comment 6•12 years ago
|
||
Push backed out for make check failures:
https://tbpl.mozilla.org/php/getParsedLog.php?id=15645062&tree=Mozilla-Inbound
Backout:
https://hg.mozilla.org/integration/mozilla-inbound/rev/b903d1d1b861
|
|
Reporter | |
Updated•12 years ago
|
Flags: in-testsuite+
|
|
Assignee | |
Comment 7•12 years ago
|
||
|
||
Comment 8•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
|
||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00][adv-main18-]
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•