Closed Bug 465366 Opened 11 years ago Closed 11 years ago

TM: Can't make payment on Capital One credit card with jit on

Categories

(Core :: JavaScript Engine, defect, P1, critical)

x86
macOS
defect

Tracking

()

VERIFIED FIXED
mozilla1.9.1b2

People

(Reporter: bzbarsky, Assigned: gal)

Details

(Keywords: regression, testcase, verified1.9.1)

Attachments

(6 files)

Attached file Testcase
The problem is that the date validator on the site fails to validate the date "11/17/2008", but only when the jit is enabled.  This prevents me from paying my credit card bill (well, until I disable jit, which is not something users will think of).

JS shell testcase attached.  It's not as minimal as it could perhaps be, but it's 2 orders of magnitude smaller than the site.  ;)  It exercises what look like several different bustages.  Basically, it looks like we bail out of the loop in VAM_ParseInt way too early (sometimes after 0 iterations) even though the length is correct.

Not sure whether this needs to block beta.
Flags: blocking1.9.1?
Er, the |x = ...| should be |global.x = ...|.  Not that this affects the
testcase.
Assignee: general → gal
Attached file simplified testcase
Attached file Even simpler
Attached file further reduced
Attached file further reduced
Attached patch patchSplinter Review
Attachment #348602 - Flags: review?(danderson)
Nasty bug. Nice catch bz. Your shell test cases rock as usual.
Severity: major → critical
Priority: -- → P1
nom for b2.
Target Milestone: --- → mozilla1.9.1b2
Comment on attachment 348602 [details] [diff] [review]
patch

Whoops, nice bug.  

JS_ASSERT(cx->fp->regs->pc == f->ip);

in js_RecordTree is a good idea
Attachment #348602 - Flags: review?(danderson) → review+
Pushed to TM.

http://hg.mozilla.org/tracemonkey/rev/b8f6e95832c6
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9.1b2 → ---
Target Milestone: --- → mozilla1.9.1b2
reopening, marking blocking beta2, will close once landed on m-c.
Status: RESOLVED → REOPENED
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: FIXED → ---
I pushed the original test here into trace-tests too.
bug 463956 also covers this with ecma/GlobalObject/15.1.2.5-1.js, ecma/GlobalObject/15.1.2.4.js
Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
added test in http://hg.mozilla.org/mozilla-central/rev/79a5db81b187 and cvs
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.