Closed
Bug 935322
Opened 11 years ago
Closed 11 years ago
(jit) Crash on Heap near [@ EnterBaseline]
Categories
(Core :: JavaScript Engine: JIT, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
People
(Reporter: decoder, Assigned: jandem)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker] [jsbugmon:update])
Crash Data
Attachments
(1 file)
|
(deleted),
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 770de5942471 (run with --ion-eager):
function test() {
var UBound = 0;
var BUGNUMBER = 131964;
var actual = '';
function g() {
delete f;
try {
f.status
} catch(e) {
actual = 'f was deleted';
}
}
g();
} test();
|
Reporter | |
Comment 1•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]
|
|
Reporter | |
Comment 2•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/495a9c210b91
user: Jan de Mooij
date: Mon Nov 04 11:40:24 2013 +0100
summary: Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett
This iteration took 1.033 seconds to run.
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [fuzzblocker] [jsbugmon:update] → [fuzzblocker] [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5446435cc94a).
|
||
Comment 4•11 years ago
|
||
This was fixed by backing out bug 933798.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Keywords: regression
Resolution: --- → FIXED
Whiteboard: [fuzzblocker] [jsbugmon:update,ignore] → [fuzzblocker] [jsbugmon:update]
|
||
Updated•11 years ago
|
|
||
Comment 5•11 years ago
|
||
I couldn't reproduce the crash here, I just got "Segmentation fault (core dumped)". This is indeed gone for Firefox 28 beta.
Crashes with this signature (EnterBaseline) on post-fix builds are present in Socorro, but they are also associated with other bugs:
https://crash-stats.mozilla.com/report/list?signature=EnterBaseline&product=Firefox&query_type=contains&range_unit=weeks&process_type=any&hang_type=any&date=2014-02-11+12%3A00%3A00&range_value=4#tab-reports
Keywords: verifyme
|
|
||
Comment 6•11 years ago
|
||
(In reply to Ioana Budnar, QA [:ioana] from comment #5)
> I couldn't reproduce the crash here, I just got "Segmentation fault (core
> dumped)".
A segmentation fault is a crash.
|
|
||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•