The main mochitest that I'm working on for bug 435441 crashes when the JIT is enabled. (It doesn't even require the transitions patch to crash.) I've observed the crash on Windows an Linux; it seemed to have shown up as a hang on Mac on try server. Steps to reproduce: * download the attached mochitest, and put it in $objdir/_tests/testing/mochitest/tests/layout/style/test and call it test_transitions.html * cd $objdir/_tests/testing/mochitest * python ./runtests.py --test-path=layout/style/test/test_transitions.html This causes a crash when javascript.options.jit.content is true, but does not crash when the pref is false. (Note that automation.py overrides this pref in the mochitest testing profile.) Some crash reports from Linux: bp-5d0a10e1-da6b-420a-b380-408eb2090911 bp-46c9202d-6fbf-4e2d-8ae8-33ed22090911 bp-471a3d5f-033c-45b0-a354-bc6db2090911 bp-a920b3d3-083d-462e-96ae-1b0102090911

Also crashes in the 2009-09-11-03 Linux tracemonkey nightly.

Here's a testcase that doesn't require the mochitest harness and should just crash when you click the link to it in Bugzilla.

Crash with 0xcdcdcdcd in a debug build means a free memory read. Until we know this doesn't affect 1.9.1 we should hide this.

See bug 508711 for the cause (and a note that there are still other latent bugs of this type).

Pushed to TM as cf9a092205cc. Andreas: you r+'d the wrong patch. But the only difference is the addition of a test case, so I just pushed.

Yeah sorry.

Do we need this patch on 1.9.1, or is that safe?

(In reply to comment #9) > Do we need this patch on 1.9.1, or is that safe? gal, dmandelin?

(In reply to comment #12) > (In reply to comment #9) > > Do we need this patch on 1.9.1, or is that safe? > > gal, dmandelin? Still looking for an answer here...

Sorry for the delay. This bug does not affect 1.9.1. It happens when tracing JSOP_LAMBDA_FC, which is not done in 1.9.1.

js/src/trace-test/tests/basic/bug516009.js v 1.9.3, 1.9.2