Closed
Bug 794286
Opened 12 years ago
Closed 12 years ago
IonMonkey: Mochitest browser_586068-cascaded_restore.js: Assertion failure: script->analysis()->getCode(pc).stackDepth == ((hpcdepth == unsigned(-1)) ? pcdepth : hpcdepth)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: nbp, Assigned: nbp)
References
Details
(6 keywords, Whiteboard: [ion:p1:fx18] [jsbugmon:update][adv-main18-])
Crash Data
Attachments
(2 files)
1.78 KB,
application/x-javascript
|
Details | |
1.68 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
This bug appear with patches made for bug 787309 and bug 787848 and prevent their landing. This bug show up on mochitest ./browser/components/sessionstore/test/browser_586068-cascaded_restore.js when ran with --browser-chrome option.
Assignee | ||
Comment 1•12 years ago
|
||
Test case reproducing the bug in the shell.
Assignee | ||
Comment 2•12 years ago
|
||
This bug fix a previous mistake made in Bug 787309. When a goto is followed, we reset the stack depth to the hidden stack depth if it was set, otherwise, we keep the normal stack depth. This follow stack changes introduced by let statements, as triggered by the attached test case.
Attachment #664741 -
Flags: review?(luke)
Comment 3•12 years ago
|
||
I reduced comment 1 to: for (var i = 0; i < 2; i++) { let y if (undefined) continue for (var j = 0; j < undefined.e; j++) {} }
Comment 4•12 years ago
|
||
for (var i = 0; i < 1; i++) { let y if (undefined) continue undefined.e }
Updated•12 years ago
|
Updated•12 years ago
|
Keywords: csec-bounds
Updated•12 years ago
|
Attachment #664741 -
Flags: review?(luke) → review+
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b176f299c52c
Assignee | ||
Updated•12 years ago
|
Flags: in-testsuite+
Comment 6•12 years ago
|
||
This went to Try previously: https://tbpl.mozilla.org/?tree=Try&rev=b1ba09d0a184
Comment 7•12 years ago
|
||
Push backed out for make check failures: https://tbpl.mozilla.org/php/getParsedLog.php?id=15645062&tree=Mozilla-Inbound Backout: https://hg.mozilla.org/integration/mozilla-inbound/rev/b903d1d1b861
Updated•12 years ago
|
Flags: in-testsuite+
Assignee | ||
Comment 8•12 years ago
|
||
Try server: https://tbpl.mozilla.org/?tree=Try&rev=2e9b651cf28a Minor fix to original patch: https://hg.mozilla.org/integration/mozilla-inbound/rev/b16e828c9443
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b16e828c9443
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox18:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Updated•11 years ago
|
Whiteboard: [ion:p1:fx18] [jsbugmon:update] → [ion:p1:fx18] [jsbugmon:update][adv-main18-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•