Closed
Bug 842884
Opened 12 years ago
Closed 12 years ago
"Assertion failure: 0,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
4.86 KB,
text/plain
|
Details | |
|
5.21 KB,
patch
|
jorendorff
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
var [] = [x, ...d]
asserts js debug shell on m-c changeset 401b967b2dfc without any CLI arguments at Assertion failure: 0,
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 96029:34476c720f8f
user: Benjamin Peterson
date: Wed Jun 06 21:53:07 2012 -0500
summary: Bug 574130: JavaScript spread array initializers, r=jorendorff.
|
Assignee | |
Comment 1•12 years ago
|
||
Attachment #715829 -
Flags: review?(jorendorff)
|
Reporter | |
Comment 2•12 years ago
|
||
Assigning to Benjamin since he has a patch.
Assignee: general → benjamin
Status: NEW → ASSIGNED
|
||
Comment 3•12 years ago
|
||
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread
Review of attachment 715829 [details] [diff] [review]:
-----------------------------------------------------------------
Nice.
Attachment #715829 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
|
|
Assignee | |
Comment 5•12 years ago
|
||
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 574130
User impact if declined: The bug causes us to take "unreachable" paths in the JS compiler just through weird JS syntax. It would probably be hard to exploit, but I wouldn't be surprised if malformed bytecode caused horrible memory corruption bugs in the interpreter.
Testing completed (on m-c, etc.): On m-i now
Risk to taking this patch (and alternatives if risky): Very straightforward, safe patch.
String or UUID changes made by this patch: N/A
Attachment #715829 -
Flags: approval-mozilla-beta?
Attachment #715829 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 6•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).
|
|
Assignee | |
Comment 7•12 years ago
|
||
Fixed just not resolved yet.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
|
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
||
Comment 8•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).
|
|
||
Comment 9•12 years ago
|
||
Don't fight with the automation! ;) It's perfectly ok if the bug isn't resolved yet. JSBugMon is just indicating that the test doesn't reproduce anymore.
|
||
Comment 10•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Target Milestone: --- → mozilla22
|
||
Comment 11•12 years ago
|
||
Comment on attachment 715829 [details] [diff] [review]
don't assign optimize arrays with spread
Given the very low risk evaluation, how early we are in the beta cycle, and the fact that we've been seeing memory corruption issues in Firefox recently, approving for aurora/beta.
Attachment #715829 -
Flags: approval-mozilla-beta?
Attachment #715829 -
Flags: approval-mozilla-beta+
Attachment #715829 -
Flags: approval-mozilla-aurora?
Attachment #715829 -
Flags: approval-mozilla-aurora+
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 12•12 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•