Closed
Bug 850099
Opened 11 years ago
Closed 11 years ago
BaselineCompiler: Assertion failure: isStackSlot(), at ../ion/LIR-inl.h:38
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox21 | --- | unaffected |
| firefox22 | --- | unaffected |
| firefox23 | --- | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
1.46 KB,
patch
|
djvj
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on baseline compiler branch revision b942f88d95c5 (run with --ion-eager): var buf = serialize(-1); var nbuf = serialize(undefined); for (var j = 0 ; j < 1; j++) buf[j + 8] = nbuf[j];
|
Reporter | |
Comment 1•11 years ago
|
||
Marking s-s since baseline will land soon and this is a security issue. Opt builds crash in various ways where the debug build hits this assertion.
Group: core-security
|
Assignee | |
Comment 2•11 years ago
|
||
Small fix for StoreTypedArrayElementHole to handle the case where the length is constant but the index is not.
|
||
Updated•11 years ago
|
Attachment #729720 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 3•11 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/607291e864e3
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 4•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•11 years ago
|
Group: core-security
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → unaffected
status-firefox23:
--- → fixed
status-firefox-esr17:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•