Closed Bug 489644 Opened 11 years ago Closed 11 years ago

TM: JSOP_BINDNAME wrongful abort due to fp->fun instead of fp->callee usage

Categories

(Core :: JavaScript Engine, defect, P2, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9.2a1

People

(Reporter: brendan, Assigned: gal)

References

Details

(Keywords: testcase, verified1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

Attached file testcase guts
Testcase fodder attached, needs jitstats monitoring or TRACEMONKEY=verbose grep -i abort to detect the failure.

/be
Cloned function objects happen in chrome, possibly in content for top-level functions (need to check XBL widget bindings). Also of course for closures, but then there'd be an upvar and either the global wouldn't matter, or we'd abort reaching up above the recorder's entry frame.

But we rely on the global also for trust labeling, so this is not a trivial bug.

/be
Flags: wanted1.9.1?
Attached patch patchSplinter Review
Assignee: jim → gal
Attachment #374120 - Flags: review?(brendan)
No need to hold b4 for this according to brendan but final. I think we can get this into b4 though.
Flags: blocking1.9.1?
Priority: -- → P2
Attachment #374120 - Flags: review?(brendan) → review+
http://hg.mozilla.org/tracemonkey/rev/0a1bf400bea1
Whiteboard: fixed-in-tracemonkey
Stupid last-minute changes.  Thanks, Andreas.
Flags: wanted1.9.1?
Flags: wanted1.9.1+
Flags: blocking1.9.1?
Flags: blocking1.9.1-
This should block final.
http://hg.mozilla.org/mozilla-central/rev/0a1bf400bea1
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Marking verified fixed on trunk and 1.9.1 based on check-ins and no backout so far.
Status: RESOLVED → VERIFIED
Target Milestone: mozilla1.9.1 → mozilla1.9.2a1
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.