Closed Bug 787309 Opened 8 years ago Closed 7 years ago

IonMonkey: Crash [@ ExpressionDecompiler::decompilePC] or "Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth)," or "Assertion failure: pcdepth >= nuses,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Windows 7
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected

People

(Reporter: gkw, Assigned: nbp)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00][adv-main18-])

Crash Data

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #781660 +++

try {
    h
} catch (x
if gc()) {} finally {
    this.z.z
}

asserts 64-bit js debug shell on IonMonkey changeset 32b7b76d111c with --no-ti.

(function () {
    try {} catch (x if true) { } finally {
       3(__defineSetter__("x", encodeURIComponent))
    }
})()

crashes 64-bit js opt shell on IonMonkey changeset d794f23798f4 without any CLI arguments at ExpressionDecompiler::decompilePC

Spinning this off from bug 781660 comment 4 and bug 781660 comment 5.
A half-patch is in bug 781660 comment 10.
Also assigning to Nicolas at his request.
Assignee: general → nicolas.b.pierron
No longer depends on: 781660
Keywords: crash
See Also: → 781660
Blocks: LandIon
Status: NEW → ASSIGNED
Add again this patch to this bug, with the r+ given by luke in Bug 781660, even if the patch by it-self cause more failures as it depends on Bug 787848.
Attachment #660436 - Flags: review+
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00]
Version: Other Branch → Trunk
Depends on: 794286
Flags: in-testsuite+
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/9f22813d133f
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00] → [ion:p1:fx18] [jsbugmon:update,origRev=fdfaef738a00][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.