Closed
Bug 850099
Opened 12 years ago
Closed 12 years ago
BaselineCompiler: Assertion failure: isStackSlot(), at ../ion/LIR-inl.h:38
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | unaffected |
firefox23 | --- | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
1.46 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on baseline compiler branch revision b942f88d95c5 (run with --ion-eager):
var buf = serialize(-1);
var nbuf = serialize(undefined);
for (var j = 0 ; j < 1; j++)
buf[j + 8] = nbuf[j];
Reporter | ||
Comment 1•12 years ago
|
||
Marking s-s since baseline will land soon and this is a security issue. Opt builds crash in various ways where the debug build hits this assertion.
Group: core-security
Assignee | ||
Comment 2•12 years ago
|
||
Small fix for StoreTypedArrayElementHole to handle the case where the length is constant but the index is not.
Updated•12 years ago
|
Attachment #729720 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 3•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 4•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
Group: core-security
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → fixed
status-firefox-esr17:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•