CSS transitions mochitest crashes with JIT enabled

VERIFIED FIXED

Status

()

Core
JavaScript Engine
P1
normal
VERIFIED FIXED
8 years ago
8 years ago

People

(Reporter: dbaron, Assigned: dmandelin)

Tracking

({crash, verified1.9.2})

Trunk
x86
All
crash, verified1.9.2
Points:
---
Bug Flags:
blocking1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta1-fixed, status1.9.1 unaffected)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

8 years ago
Created attachment 400098 [details]
test_transitions.html

The main mochitest that I'm working on for bug 435441 crashes when the JIT is enabled.  (It doesn't even require the transitions patch to crash.)

I've observed the crash on Windows an Linux; it seemed to have shown up as a hang on Mac on try server.

Steps to reproduce:
 * download the attached mochitest, and put it in $objdir/_tests/testing/mochitest/tests/layout/style/test and call it test_transitions.html
 * cd $objdir/_tests/testing/mochitest
 * python ./runtests.py --test-path=layout/style/test/test_transitions.html

This causes a crash when javascript.options.jit.content is true, but does not crash when the pref is false.  (Note that automation.py overrides this pref in the mochitest testing profile.)

Some crash reports from Linux:
bp-5d0a10e1-da6b-420a-b380-408eb2090911
bp-46c9202d-6fbf-4e2d-8ae8-33ed22090911
bp-471a3d5f-033c-45b0-a354-bc6db2090911
bp-a920b3d3-083d-462e-96ae-1b0102090911
(Reporter)

Comment 1

8 years ago
Created attachment 400101 [details]
stack from Windows debug build
(Reporter)

Comment 2

8 years ago
Also crashes in the 2009-09-11-03 Linux tracemonkey nightly.
Flags: blocking1.9.2?
(Assignee)

Updated

8 years ago
Assignee: general → dmandelin

Updated

8 years ago
Group: core-security
(Reporter)

Comment 3

8 years ago
Created attachment 400111 [details]
standalone version of testcase

Here's a testcase that doesn't require the mochitest harness and should just crash when you click the link to it in Bugzilla.

Comment 4

8 years ago
Crash with 0xcdcdcdcd in a debug build means a free memory read. Until we know this doesn't affect 1.9.1 we should hide this.
(Assignee)

Comment 5

8 years ago
Created attachment 400182 [details] [diff] [review]
Patch

See bug 508711 for the cause (and a note that there are still other latent bugs of this type).
Attachment #400182 - Flags: review?(gal)
(Assignee)

Comment 6

8 years ago
Created attachment 400184 [details] [diff] [review]
Patch 2 (forgot test case last time)
Attachment #400182 - Attachment is obsolete: true
Attachment #400184 - Flags: review?(gal)
Attachment #400182 - Flags: review?(gal)

Updated

8 years ago
Attachment #400182 - Flags: review+
(Assignee)

Comment 7

8 years ago
Pushed to TM as cf9a092205cc.

Andreas: you r+'d the wrong patch. But the only difference is the addition of a test case, so I just pushed.
Whiteboard: fixed-in-tracemonkey

Comment 8

8 years ago
Yeah sorry.
Do we need this patch on 1.9.1, or is that safe?

Updated

8 years ago
Flags: blocking1.9.2? → blocking1.9.2+

Updated

8 years ago
Attachment #400184 - Flags: review?(gal) → review+
http://hg.mozilla.org/mozilla-central/rev/cf9a092205cc
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
(Assignee)

Updated

8 years ago
Duplicate of this bug: 511831

Updated

8 years ago
Priority: -- → P1

Comment 12

8 years ago
(In reply to comment #9)
> Do we need this patch on 1.9.1, or is that safe?

gal, dmandelin?

Comment 13

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/21d758a56d59
status1.9.2: --- → beta1-fixed
(In reply to comment #12)
> (In reply to comment #9)
> > Do we need this patch on 1.9.1, or is that safe?
> 
> gal, dmandelin?

Still looking for an answer here...
blocking1.9.1: --- → ?
(Assignee)

Comment 15

8 years ago
Sorry for the delay. This bug does not affect 1.9.1. It happens when tracing JSOP_LAMBDA_FC, which is not done in 1.9.1.

Updated

8 years ago
blocking1.9.1: ? → ---
status1.9.1: --- → unaffected

Comment 16

8 years ago
js/src/trace-test/tests/basic/bug516009.js
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Keywords: verified1.9.2
Group: core-security
You need to log in before you can comment on or make changes to this bug.