Closed Bug 794286 Opened 12 years ago Closed 12 years ago

IonMonkey: Mochitest browser_586068-cascaded_restore.js: Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth)

Categories

(Core :: JavaScript Engine, defect)

Other Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla18
Tracking Status
firefox17 --- unaffected
firefox18 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: nbp, Assigned: nbp)

References

Details

(6 keywords, Whiteboard: [ion:p1:fx18] [jsbugmon:update][adv-main18-])

Crash Data

Attachments

(2 files)

This bug appear with patches made for bug 787309 and bug 787848 and prevent their landing.  This bug show up on mochitest ./browser/components/sessionstore/test/browser_586068-cascaded_restore.js when ran with --browser-chrome option.
Attached file Shell test case.
Test case reproducing the bug in the shell.
This bug fix a previous mistake made in Bug 787309.
When a goto is followed, we reset the stack depth to the hidden stack depth if it was set, otherwise, we keep the normal stack depth.  This follow stack changes introduced by let statements, as triggered by the attached test case.
Attachment #664741 - Flags: review?(luke)
I reduced comment 1 to:

for (var i = 0; i < 2; i++) {
    let y
    if (undefined) continue
    for (var j = 0; j < undefined.e; j++) {}
}
for (var i = 0; i < 1; i++) {
    let y
    if (undefined) continue
    undefined.e
}
Keywords: csec-bounds
Attachment #664741 - Flags: review?(luke) → review+
Flags: in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/b16e828c9443
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.