Closed Bug 472049 Opened 16 years ago Closed 16 years ago

js1_5/Regress/regress-451322.js FAIL

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b3

People

(Reporter: bc, Assigned: gal)

References

Details

(Keywords: regression, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

Sample on Mac OS X
38.94 KB, text/plain
Details
patch
5.71 KB, patch
brendan
: review+
igor
: review+
Details | Diff | Splinter Review 
http://hg.mozilla.org/tracemonkey/rev/8f8a4b924c32 caused js1_5/Regress/regress-451322.js to fail with a Assertion failed: "Unknown branch type in nPatchBranch": 0 (../nanojit/Nativei386.cpp:437).

This recently changed to a time out due to http://hg.mozilla.org/tracemonkey/rev/b369b9f805ba

Sorry it took so long to find the regressor(s). I broke my bisect script and couldn't reproduce the issue during bisection and only realized it this morning.

sensitive since bug 451322 is.
Flags: wanted1.9.1?
Flags: in-testsuite+
Flags: in-litmus-
Bob, can you try to extract a reliable test case (crash or assert)? The timeout is a bit difficult to test.
Assignee: general → gal
Severity: normal → critical
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b3
Attached file Sample on Mac OS X 
gal, not sure how at the moment. perhaps this sample of a hung firefox session will help?
or perhaps the assertion "Unknown branch type in nPatchBranch" which was either fixed or masked by the most recent checkin is the hint?
got it in the debugger on windows with a deleted cx.

>	js.exe!js_FlushJITCache(JSContext * cx=0xdddddddd)  Line 4115 + 0x3 bytes	C++
 	js.exe!TraceRecorder::monitorRecording(JSOp op=JSOP_DIV)  Line 3835 + 0xb bytes	C++
 	js.exe!js_Interpret(JSContext * cx=0x00c6f760)  Line 2840 + 0x12 bytes	C++
 	js.exe!js_Execute(JSContext * cx=0x00c6f760, JSObject * chain=0x00db1000, JSScript * script=0x00c91d08, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x00000000)  Line 1564 + 0x9 bytes	C++
 	js.exe!JS_ExecuteScript(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, JSScript * script=0x00c91d08, long * rval=0x00000000)  Line 5083 + 0x19 bytes	C++
 	js.exe!Process(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, char * filename=0x00c6bdaa, int forceTTY=0)  Line 280 + 0x13 bytes	C++
 	js.exe!ProcessArgs(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, char * * argv=0x00c6bcdc, int argc=14)  Line 556 + 0x19 bytes	C++
 	js.exe!main(int argc=14, char * * argv=0x00c6bcdc, char * * envp=0x00c66000)  Line 4090 + 0x15 bytes	C++
 	js.exe!__tmainCRTStartup()  Line 597 + 0x19 bytes	C
Ok, the problem is that monitorRecording was made a method of TraceRecorder, but it deletes the recorder so we yank out the state from under ourselves. I will submit a patch shortly.
Attached patch patchSplinter Review 

    
    

    
  
This is most definitively a blocker. Someone please mark it.

    
    

    
  
patch works for me on windows. no crash.

    
  

        Attachment #355445 -
        Flags: review?(brendan)

    
  

        Attachment #355445 -
        Flags: review?(igor)

    
    

    
  
Comment on attachment 355445 [details] [diff] [review]
patch

Sorry, I thought we could yank while jumping to the next level :-P.

/be

        Attachment #355445 -
        Flags: review?(brendan) → review+

    
  

        Attachment #355445 -
        Flags: review?(igor) → review+

    
    

    
  
Pushed to TM

http://hg.mozilla.org/tracemonkey/rev/ea9023d76bae
Whiteboard: fixed-in-tracemonkey

    
  
Flags: blocking1.9.1? → blocking1.9.1+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/ea9023d76bae
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
  
Flags: wanted1.9.1?

    
    

    
  
crashed verified fixed 1.9.1, 1.9.1-tm, 1.9.2
Status: RESOLVED → VERIFIED

    
  
Blocks: 469233

    
    

    
  
v 1.9.1.
Keywords: fixed1.9.1verified1.9.1
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: