Closed Bug 842884 Opened 11 years ago Closed 11 years ago

"Assertion failure: 0,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox20 --- fixed
firefox21 --- fixed
firefox22 --- fixed

People

(Reporter: gkw, Assigned: Benjamin)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

stack
4.86 KB, text/plain
Details
don't assign optimize arrays with spread
5.21 KB, patch
jorendorff
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Attached file stack 
var [] = [x, ...d]

asserts js debug shell on m-c changeset 401b967b2dfc without any CLI arguments at Assertion failure: 0,

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   96029:34476c720f8f
user:        Benjamin Peterson
date:        Wed Jun 06 21:53:07 2012 -0500
summary:     Bug 574130: JavaScript spread array initializers, r=jorendorff.

        Attachment #715829 -
        Flags: review?(jorendorff)

    
    

    
  
Assigning to Benjamin since he has a patch.
Assignee: general → benjamin
Status: NEW → ASSIGNED

    
    

    
  
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread

Review of attachment 715829 [details] [diff] [review]:
-----------------------------------------------------------------

Nice.

        Attachment #715829 -
        Flags: review?(jorendorff) → review+

    
    

    
  
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 574130
User impact if declined: The bug causes us to take "unreachable" paths in the JS compiler just through weird JS syntax. It would probably be hard to exploit, but I wouldn't be surprised if malformed bytecode caused horrible memory corruption bugs in the interpreter.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Very straightforward, safe patch.
String or UUID changes made by this patch: N/A

        Attachment #715829 -
        Flags: approval-mozilla-beta?

        Attachment #715829 -
        Flags: approval-mozilla-aurora?
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

    
    

    
  
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).

    
    

    
  
Fixed just not resolved yet.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

    
    

    
  
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).

    
    

    
  
Don't fight with the automation! ;) It's perfectly ok if the bug isn't resolved yet. JSBugMon is just indicating that the test doesn't reproduce anymore.

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/534b246aa51b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Target Milestone: --- → mozilla22

    
    

    
  
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread

Given the very low risk evaluation, how early we are in the beta cycle, and the fact that we've been seeing memory corruption issues in Firefox recently, approving for aurora/beta.

        Attachment #715829 -
        Flags: approval-mozilla-beta?

        Attachment #715829 -
        Flags: approval-mozilla-beta+

        Attachment #715829 -
        Flags: approval-mozilla-aurora?

        Attachment #715829 -
        Flags: approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: