Closed Bug 456667 Opened 16 years ago Closed 16 years ago

TM: crash logging into Zimbra with JITs on

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows Vista
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: dvander, Assigned: dvander)

Details

(Keywords: crash, testcase, verified1.9.1)

Attachments

(1 file)

test case that crashes
268 bytes, application/x-javascript
Details 
+++ This bug was initially created as a clone of Bug #455137 +++

Cloning original bug due to separate crash problem now.
Assignee: general → danderson
Flags: blocking1.9.1?
Priority: -- → P1
Flags: blocking1.9.1? → blocking1.9.1+
Attached file test case that crashes 
This test case attempts to reproduce the same conditions as the crash: caller has nargs=1,argc=1 and callee (lr->callDepth=1) has nargs=4,argc=1

Looks like something is going wrong in either js_SynthesizeFrame or FlushNativeStackFrame though I haven't diagnosed it yet.  This isn't the same exact crash but the situations are very similar.
Pushed fix as changeset http://hg.mozilla.org/tracemonkey/rev/437331f166fe.  This reveals another bug, crashing in js_FastNewObject.  Will clone again.
Test case: http://hg.mozilla.org/tracemonkey/rev/da80ff92f1fa
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: testcase
verified fixed using  Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre and  Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b2pre) Gecko/20081013 Minefield/3.1b2pre.
Status: RESOLVED → VERIFIED
test already in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
Keywords: verified1.9.1
Keywords: fixed1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: