Closed Bug 465366 Opened 15 years ago Closed 15 years ago

TM: Can't make payment on Capital One credit card with jit on

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: bzbarsky, Assigned: gal)

Details

(Keywords: regression, testcase, verified1.9.1)

Attachments

(6 files)

Testcase
970 bytes, text/plain
Details
simplified testcase
282 bytes, application/x-javascript
Details
Even simpler
211 bytes, text/plain
Details
further reduced
129 bytes, application/x-javascript
Details
further reduced
118 bytes, application/x-javascript
Details
patch
2.01 KB, patch
dvander
: review+
Details | Diff | Splinter Review
Attached file Testcase 
The problem is that the date validator on the site fails to validate the date "11/17/2008", but only when the jit is enabled.  This prevents me from paying my credit card bill (well, until I disable jit, which is not something users will think of).

JS shell testcase attached.  It's not as minimal as it could perhaps be, but it's 2 orders of magnitude smaller than the site.  ;)  It exercises what look like several different bustages.  Basically, it looks like we bail out of the loop in VAM_ParseInt way too early (sometimes after 0 iterations) even though the length is correct.

Not sure whether this needs to block beta.
Flags: blocking1.9.1?
Er, the |x = ...| should be |global.x = ...|.  Not that this affects the
testcase.
Assignee: general → gal
Attached file simplified testcase 

    
    

    
  

      
      
      
      

        Attached file
          
        Even simpler
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        further reduced
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        further reduced
      

    


  

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

        Attachment #348602 -
        Flags: review?(danderson)

    
    

    
  
Nasty bug. Nice catch bz. Your shell test cases rock as usual.
Severity: major → critical
Priority: -- → P1

    
    

    
  
nom for b2.
Target Milestone: --- → mozilla1.9.1b2

    
    

    
  
Comment on attachment 348602 [details] [diff] [review]
patch

Whoops, nice bug.  

JS_ASSERT(cx->fp->regs->pc == f->ip);

in js_RecordTree is a good idea

        Attachment #348602 -
        Flags: review?(danderson) → review+

    
    

    
  
Pushed to TM.

http://hg.mozilla.org/tracemonkey/rev/b8f6e95832c6
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: mozilla1.9.1b2 → ---

    
  
Target Milestone: --- → mozilla1.9.1b2

    
    

    
  
reopening, marking blocking beta2, will close once landed on m-c.
Status: RESOLVED → REOPENED
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: FIXED → ---

    
    

    
  
I pushed the original test here into trace-tests too.

    
    

    
  
bug 463956 also covers this with ecma/GlobalObject/15.1.2.5-1.js, ecma/GlobalObject/15.1.2.4.js

    
    

    
  
Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED

    
    

    
  
added test in http://hg.mozilla.org/mozilla-central/rev/79a5db81b187 and cvs
Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1testcase, 
          
            verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.