Closed Bug 452168 Opened 11 years ago Closed 11 years ago

TM: Crash [@ avmplus::List] with gczeal, "for (var p in this)"

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla1.9.1b1

People

(Reporter: jruderman, Assigned: brendan)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(1 file)

I'm using the tracemonkey branch.

./js -j
js> var a, b; gczeal(2); (function() { for (var p in this) { } })();

Crash [@ avmplus::List] or [@ nanojit::LirBuffer::validate].
This bug prevents me from running jsfunfuzz with gczeal and JIT on.  gczeal has been pretty good at finding bad bugs in the past.
GC is running during recording/importing, this trashes the JIT cache and every pointer we care about in the callstack gets trashed.  Flagging for Brendan.
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b1
Attached patch proposed fixSplinter Review
I renamed runningJittedCode to executingTrace, shorter and a bit more pointed (and maybe even sensible when recording? I didn't want recordingOrExecutingTrace of course :-P).

If there's a better way to manage the non-nesting except when recording runs the trace logic, I'm all ears.

/be
Attachment #336130 - Flags: review?(gal)
Attachment #336130 - Flags: review?(gal) → review+
Fixed on m-c, can't find the link (dammit).

/be
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-452168.js,v  <--  regress-452168.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/a89c6b449c61
Flags: in-testsuite+
Flags: in-litmus-
Crash Signature: [@ avmplus::List]
You need to log in before you can comment on or make changes to this bug.