TM: Crash [@ TraceRecorder::monitorRecording]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
9 years ago
5 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
crash, fixed1.9.1, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.1 -
wanted1.9.1 +
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
__defineGetter__("x", gc)
for (a in (function(){
  for each (y in [{}, '']) {
    for (var z = 0; z < 9; ++z) {
      if ( z % 6 == 0 ) x
      else { yield }
    }
  }
})())
function(){}

crashes debug js shell with -j at TraceRecorder::monitorRecording near null. Security-sensitive because this concerns gc.

autoBisect shows bug 482800 and http://hg.mozilla.org/tracemonkey/rev/14b568cd9c43 may be related:

The first bad revision is:
changeset:   26349:14b568cd9c43
tag:         tip
user:        Andreas Gal
date:        Sat Mar 21 01:07:51 2009 -0700
summary:     Property close loops even in the presence of partially constant loop conditions (482800, r=brendan).
Flags: blocking1.9.1?
(Reporter)

Updated

9 years ago
Keywords: regression
(Assignee)

Updated

9 years ago
Assignee: general → gal
(Assignee)

Comment 1

9 years ago
Debug only. Bad ordering of an assert.
(Assignee)

Comment 2

9 years ago
Created attachment 368692 [details] [diff] [review]
patch
Attachment #368692 - Flags: review?(brendan)
Attachment #368692 - Flags: review?(brendan) → review+
(Assignee)

Comment 3

9 years ago
http://hg.mozilla.org/tracemonkey/rev/f729fb9fe40b

Not security critical and debug only. Please remove flag.
Whiteboard: fixed-in-tracemonkey

Updated

9 years ago
Group: core-security
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-

Updated

9 years ago
Depends on: 484773

Comment 4

9 years ago
http://hg.mozilla.org/mozilla-central/rev/f729fb9fe40b
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 5

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/4d65a256842d
Keywords: fixed1.9.1
(Reporter)

Updated

9 years ago
Flags: in-testsuite?
Crash Signature: [@ TraceRecorder::monitorRecording]
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.