Closed
Bug 472049
Opened 16 years ago
Closed 16 years ago
js1_5/Regress/regress-451322.js FAIL
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: bc, Assigned: gal)
References
Details
(Keywords: regression, testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files)
http://hg.mozilla.org/tracemonkey/rev/8f8a4b924c32 caused js1_5/Regress/regress-451322.js to fail with a Assertion failed: "Unknown branch type in nPatchBranch": 0 (../nanojit/Nativei386.cpp:437). This recently changed to a time out due to http://hg.mozilla.org/tracemonkey/rev/b369b9f805ba Sorry it took so long to find the regressor(s). I broke my bisect script and couldn't reproduce the issue during bisection and only realized it this morning. sensitive since bug 451322 is.
Flags: wanted1.9.1?
Flags: in-testsuite+
Flags: in-litmus-
Assignee | ||
Comment 1•16 years ago
|
||
Bob, can you try to extract a reliable test case (crash or assert)? The timeout is a bit difficult to test.
Assignee: general → gal
Severity: normal → critical
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b3
Reporter | ||
Comment 2•16 years ago
|
||
gal, not sure how at the moment. perhaps this sample of a hung firefox session will help?
Reporter | ||
Comment 3•16 years ago
|
||
or perhaps the assertion "Unknown branch type in nPatchBranch" which was either fixed or masked by the most recent checkin is the hint?
Reporter | ||
Comment 4•16 years ago
|
||
got it in the debugger on windows with a deleted cx.
> js.exe!js_FlushJITCache(JSContext * cx=0xdddddddd) Line 4115 + 0x3 bytes C++
js.exe!TraceRecorder::monitorRecording(JSOp op=JSOP_DIV) Line 3835 + 0xb bytes C++
js.exe!js_Interpret(JSContext * cx=0x00c6f760) Line 2840 + 0x12 bytes C++
js.exe!js_Execute(JSContext * cx=0x00c6f760, JSObject * chain=0x00db1000, JSScript * script=0x00c91d08, JSStackFrame * down=0x00000000, unsigned int flags=0, long * result=0x00000000) Line 1564 + 0x9 bytes C++
js.exe!JS_ExecuteScript(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, JSScript * script=0x00c91d08, long * rval=0x00000000) Line 5083 + 0x19 bytes C++
js.exe!Process(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, char * filename=0x00c6bdaa, int forceTTY=0) Line 280 + 0x13 bytes C++
js.exe!ProcessArgs(JSContext * cx=0x00c6f760, JSObject * obj=0x00db1000, char * * argv=0x00c6bcdc, int argc=14) Line 556 + 0x19 bytes C++
js.exe!main(int argc=14, char * * argv=0x00c6bcdc, char * * envp=0x00c66000) Line 4090 + 0x15 bytes C++
js.exe!__tmainCRTStartup() Line 597 + 0x19 bytes C
Assignee | ||
Comment 5•16 years ago
|
||
Ok, the problem is that monitorRecording was made a method of TraceRecorder, but it deletes the recorder so we yank out the state from under ourselves. I will submit a patch shortly.
Assignee | ||
Comment 6•16 years ago
|
||
Assignee | ||
Comment 7•16 years ago
|
||
This is most definitively a blocker. Someone please mark it.
Reporter | ||
Comment 8•16 years ago
|
||
patch works for me on windows. no crash.
Assignee | ||
Updated•16 years ago
|
Attachment #355445 -
Flags: review?(brendan)
Assignee | ||
Updated•16 years ago
|
Attachment #355445 -
Flags: review?(igor)
Comment 9•16 years ago
|
||
Comment on attachment 355445 [details] [diff] [review] patch Sorry, I thought we could yank while jumping to the next level :-P. /be
Attachment #355445 -
Flags: review?(brendan) → review+
Updated•16 years ago
|
Attachment #355445 -
Flags: review?(igor) → review+
Assignee | ||
Comment 10•16 years ago
|
||
Pushed to TM http://hg.mozilla.org/tracemonkey/rev/ea9023d76bae
Whiteboard: fixed-in-tracemonkey
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Comment 11•16 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ea9023d76bae
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Flags: wanted1.9.1?
Reporter | ||
Comment 12•16 years ago
|
||
crashed verified fixed 1.9.1, 1.9.1-tm, 1.9.2
Status: RESOLVED → VERIFIED
Comment 13•16 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/f67cbb089d00
Keywords: fixed1.9.1
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•