Closed
Bug 494045
Opened 16 years ago
Closed 16 years ago
TM: setting scopeChain to NULL in SynthesizeFrame breaks GetCallObject
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.2a1
People
(Reporter: standard8, Assigned: gal)
References
Details
(Keywords: crash, regression, verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 1 obsolete file)
3.73 KB,
text/plain
|
Details | |
5.58 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
With the landing of the tracemonkey merge on 20th May, some of the mailnews xpcshell tests have started crashing. The tests that fail are:
TEST-UNEXPECTED-FAIL | /Volumes/Build/macosx-comm-central-check/build/objdir/mozilla/_tests/xpcshell/test_imap/unit/test_bug460636.js | test failed (with xpcshell return code: -10), see following log:
TEST-UNEXPECTED-FAIL | /Volumes/Build/macosx-comm-central-check/build/objdir/mozilla/_tests/xpcshell/test_imap/unit/test_compactOfflineStore.js | test failed (with xpcshell return code: -10), see following log:
TEST-UNEXPECTED-FAIL | /Volumes/Build/macosx-comm-central-check/build/objdir/mozilla/_tests/xpcshell/test_imap/unit/test_downloadOffline.js | test failed (with xpcshell return code: -10), see following log:
TEST-UNEXPECTED-FAIL | /Users/moztest/comm/trunk/tb/mozilla/_tests/xpcshell/test_imap/unit/test_nsIMsgFolderListenerIMAP.js | test failed (with xpcshell return code: -10), see following log:
The logs aren't interesting as there are no additional warnings/errors and we don't get crash stacks at the moment.
However I've run the tests on my machine and the crash stack from one of the failures is attached.
I've verified by reverting the mozilla-central repository to the revision before the landing (a3b152e3e972) and then updated to the merge set of the landing (cb4d2ce3b5db).
Tracemonkey landing:
http://hg.mozilla.org/mozilla-central/pushloghtml?startdate=2009-05-20+09%3A22%3A05&enddate=2009-05-20+09%3A23
Apologies, but I don't have time for further debug now, and probably won't over the next couple of days. I'm guessing the merge may be heading to 1.9.1 so wanted to raise it now to make you guys aware.
Reporter | ||
Comment 1•16 years ago
|
||
A brief comparison of crash-stack and files changed leads me to believe this is most likely a regression from bug 493657.
Blocks: 493657
Keywords: regression
Updated•16 years ago
|
Flags: blocking1.9.1+
Assignee | ||
Updated•16 years ago
|
Assignee: general → gal
Priority: -- → P1
Assignee | ||
Updated•16 years ago
|
Summary: Tracemonkey merge 20th May causes crashes in mailnews xpcshell tests → TM: setting scopeChain to NULL in SynthesizeFrame breaks GetCallObject
Assignee | ||
Comment 2•16 years ago
|
||
Assignee | ||
Comment 3•16 years ago
|
||
Attachment #378722 -
Attachment is obsolete: true
Attachment #378729 -
Flags: review?(brendan)
Comment 4•16 years ago
|
||
Comment on attachment 378729 [details] [diff] [review]
patch with testcase
>diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp
>+++ b/js/src/jstracer.cpp
>@@ -1930,24 +1930,46 @@ skip:
> /*
> * We might return from trace with a different function object, but it still
> * has to be the same function (FIXME: bug 471425, eliminate fp->callee).
This comment confuses me -- change function object to callee object, and maybe change "same function" to "same JSFunction"?
> */
> JS_ASSERT(JSVAL_IS_OBJECT(fp->argv[-1]));
> JS_ASSERT(HAS_FUNCTION_CLASS(JSVAL_TO_OBJECT(fp->argv[-2])));
> JS_ASSERT(GET_FUNCTION_PRIVATE(cx, JSVAL_TO_OBJECT(fp->argv[-2])) ==
> GET_FUNCTION_PRIVATE(cx, fp->callee));
>+ JS_ASSERT(GET_FUNCTION_PRIVATE(cx, fp->callee) == fp->fun);
> fp->callee = JSVAL_TO_OBJECT(fp->argv[-2]);
Blank line here, while you are nearby.
r=me with these nits.
/be
Attachment #378729 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 5•16 years ago
|
||
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 6•16 years ago
|
||
Thanks for reporting this so quickly. The stack frame helped a lot.
Comment 7•16 years ago
|
||
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Updated•16 years ago
|
Flags: in-testsuite+
Whiteboard: fixed-in-tracemonkey → [needs 1.9.1 landing] fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.2a1
Comment 8•16 years ago
|
||
Keywords: fixed1.9.1
Whiteboard: [needs 1.9.1 landing] fixed-in-tracemonkey → fixed-in-tracemonkey
Comment 9•16 years ago
|
||
Marking verified based on all tests passes on trunk and 1.9.1 and no backout so far.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•