Closed
Bug 516009
Opened 15 years ago
Closed 15 years ago
CSS transitions mochitest crashes with JIT enabled
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
VERIFIED
FIXED
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
| status1.9.1 | --- | unaffected |
People
(Reporter: dbaron, Assigned: dmandelin)
References
Details
(Keywords: crash, verified1.9.2, Whiteboard: fixed-in-tracemonkey)
Attachments
(4 files, 1 obsolete file)
The main mochitest that I'm working on for bug 435441 crashes when the JIT is enabled. (It doesn't even require the transitions patch to crash.) I've observed the crash on Windows an Linux; it seemed to have shown up as a hang on Mac on try server. Steps to reproduce: * download the attached mochitest, and put it in $objdir/_tests/testing/mochitest/tests/layout/style/test and call it test_transitions.html * cd $objdir/_tests/testing/mochitest * python ./runtests.py --test-path=layout/style/test/test_transitions.html This causes a crash when javascript.options.jit.content is true, but does not crash when the pref is false. (Note that automation.py overrides this pref in the mochitest testing profile.) Some crash reports from Linux: bp-5d0a10e1-da6b-420a-b380-408eb2090911 bp-46c9202d-6fbf-4e2d-8ae8-33ed22090911 bp-471a3d5f-033c-45b0-a354-bc6db2090911 bp-a920b3d3-083d-462e-96ae-1b0102090911
|
Reporter | |
Comment 1•15 years ago
|
||
|
|
Reporter | |
Comment 2•15 years ago
|
||
Also crashes in the 2009-09-11-03 Linux tracemonkey nightly.
|
||
Updated•15 years ago
|
Flags: blocking1.9.2?
|
Assignee | |
Updated•15 years ago
|
Assignee: general → dmandelin
|
||
Updated•15 years ago
|
Group: core-security
|
|
Reporter | |
Comment 3•15 years ago
|
||
Here's a testcase that doesn't require the mochitest harness and should just crash when you click the link to it in Bugzilla.
|
|
||
Comment 4•15 years ago
|
||
Crash with 0xcdcdcdcd in a debug build means a free memory read. Until we know this doesn't affect 1.9.1 we should hide this.
|
|
Assignee | |
Comment 5•15 years ago
|
||
See bug 508711 for the cause (and a note that there are still other latent bugs of this type).
Attachment #400182 -
Flags: review?(gal)
|
|
Assignee | |
Comment 6•15 years ago
|
||
Attachment #400182 -
Attachment is obsolete: true
Attachment #400184 -
Flags: review?(gal)
Attachment #400182 -
Flags: review?(gal)
|
|
||
Updated•15 years ago
|
Attachment #400182 -
Flags: review+
|
|
Assignee | |
Comment 7•15 years ago
|
||
Pushed to TM as cf9a092205cc. Andreas: you r+'d the wrong patch. But the only difference is the addition of a test case, so I just pushed.
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 8•15 years ago
|
||
Yeah sorry.
|
|
||
Comment 9•15 years ago
|
||
Do we need this patch on 1.9.1, or is that safe?
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
||
Updated•15 years ago
|
Attachment #400184 -
Flags: review?(gal) → review+
|
||
Comment 10•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/cf9a092205cc
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
Priority: -- → P1
|
|
||
Comment 12•15 years ago
|
||
(In reply to comment #9) > Do we need this patch on 1.9.1, or is that safe? gal, dmandelin?
|
|
||
Comment 13•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/21d758a56d59
status1.9.2:
--- → beta1-fixed
|
||
Comment 14•15 years ago
|
||
(In reply to comment #12) > (In reply to comment #9) > > Do we need this patch on 1.9.1, or is that safe? > > gal, dmandelin? Still looking for an answer here...
blocking1.9.1: --- → ?
|
|
Assignee | |
Comment 15•15 years ago
|
||
Sorry for the delay. This bug does not affect 1.9.1. It happens when tracing JSOP_LAMBDA_FC, which is not done in 1.9.1.
|
|
||
Updated•15 years ago
|
blocking1.9.1: ? → ---
status1.9.1:
--- → unaffected
|
||
Comment 16•15 years ago
|
||
js/src/trace-test/tests/basic/bug516009.js v 1.9.3, 1.9.2
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•