Closed
Bug 842884
Opened 11 years ago
Closed 11 years ago
"Assertion failure: 0,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: gkw, Assigned: Benjamin)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
4.86 KB,
text/plain
|
Details | |
5.21 KB,
patch
|
jorendorff
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
var [] = [x, ...d] asserts js debug shell on m-c changeset 401b967b2dfc without any CLI arguments at Assertion failure: 0, autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 96029:34476c720f8f user: Benjamin Peterson date: Wed Jun 06 21:53:07 2012 -0500 summary: Bug 574130: JavaScript spread array initializers, r=jorendorff.
Assignee | ||
Comment 1•11 years ago
|
||
Attachment #715829 -
Flags: review?(jorendorff)
Reporter | ||
Comment 2•11 years ago
|
||
Assigning to Benjamin since he has a patch.
Assignee: general → benjamin
Status: NEW → ASSIGNED
Comment 3•11 years ago
|
||
Comment on attachment 715829 [details] [diff] [review] don't assign optimize arrays with spread Review of attachment 715829 [details] [diff] [review]: ----------------------------------------------------------------- Nice.
Attachment #715829 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/534b246aa51b
Assignee | ||
Comment 5•11 years ago
|
||
Comment on attachment 715829 [details] [diff] [review] don't assign optimize arrays with spread [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 574130 User impact if declined: The bug causes us to take "unreachable" paths in the JS compiler just through weird JS syntax. It would probably be hard to exploit, but I wouldn't be surprised if malformed bytecode caused horrible memory corruption bugs in the interpreter. Testing completed (on m-c, etc.): On m-i now Risk to taking this patch (and alternatives if risky): Very straightforward, safe patch. String or UUID changes made by this patch: N/A
Attachment #715829 -
Flags: approval-mozilla-beta?
Attachment #715829 -
Flags: approval-mozilla-aurora?
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 6•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).
Assignee | ||
Comment 7•11 years ago
|
||
Fixed just not resolved yet.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 8•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 702d2814efbf).
Comment 9•11 years ago
|
||
Don't fight with the automation! ;) It's perfectly ok if the bug isn't resolved yet. JSBugMon is just indicating that the test doesn't reproduce anymore.
Comment 10•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/534b246aa51b
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update]
Target Milestone: --- → mozilla22
Comment 11•11 years ago
|
||
Comment on attachment 715829 [details] [diff] [review] don't assign optimize arrays with spread Given the very low risk evaluation, how early we are in the beta cycle, and the fact that we've been seeing memory corruption issues in Firefox recently, approving for aurora/beta.
Attachment #715829 -
Flags: approval-mozilla-beta?
Attachment #715829 -
Flags: approval-mozilla-beta+
Attachment #715829 -
Flags: approval-mozilla-aurora?
Attachment #715829 -
Flags: approval-mozilla-aurora+
Updated•11 years ago
|
Assignee | ||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/ff02d442b93f https://hg.mozilla.org/releases/mozilla-beta/rev/2b3c9a266df0
You need to log in
before you can comment on or make changes to this bug.
Description
•