Closed Bug 482271 Opened 15 years ago Closed 15 years ago

TM: Crash [@ js_AttemptCompilation]

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.2a1

People

(Reporter: gkw, Assigned: gal)

References

Details

(4 keywords, Whiteboard: fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

patch
2.14 KB, patch
graydon
: review+
Details | Diff | Splinter Review 
for each (let x in [eval, eval, new String('')]) { for(let y in [[]]) NaN = x; }

crashes both opt and debug TM js shells with -j only, near null at js_AttemptCompilation.

This should be a regression of bug 481793.

The first bad revision is:
changeset:   25778:ec90dd58f1da
user:        Andreas Gal
date:        Fri Mar 06 17:25:04 2009 -0800
summary:     Better coordination of nested tree recording (481793, r=dmandelin).
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
Assignee: general → gal
js_AttemptCompilation doesn't NULL check the result of getLoop. Should it? Other sites do.
Attached patch patchSplinter Review 

        Attachment #368215 -
        Flags: review?(graydon)

    
    

    
  
Spelling fix: breathe

    
    

    
  
review ping

        Attachment #368215 -
        Flags: review?(graydon) → review+

    
    

    
  
try{ eval("this.watch(\"x\", Function)") } catch (e){};
([(x.unwatch("x")) for each (x in [new String(''), this]) for each (y in [0])]);

Here's another testcase that seems to be fixed by the patch in comment #2.

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/747655f18836
Whiteboard: fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/747655f18836
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
    

    
  
Verified fixed with testcase given in comment 0 on trunk and 1.9.1 with the following debug builds:

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2a1pre) Gecko/20090422 Minefield/3.6a1pre ID:20090422224452

Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1b4pre) Gecko/20090422 Shiretoko/3.5b4pre ID:20090422122043
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
Target Milestone: --- → mozilla1.9.2a1
Flags: in-testsuite?
Crash Signature: [@ js_AttemptCompilation]

    
    

    
  
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: