Closed
Bug 619338
Opened 14 years ago
Closed 13 years ago
TypeInference: type inference crash for "new Function.prototype" [@ TypeObject::getNewObject]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Unassigned)
References
Details
(Keywords: crash, Whiteboard: fixed-in-jaegermonkey)
Crash Data
This crashes in the type inference code: --- ./js js> new Function.prototype Bus error --- Top of stack: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c 0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966 1966 if (newObject) (gdb) bt #0 0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966 #1 0x0031dbf9 in js::types::TypeConstraintCall::newType (this=0x713ff0, cx=0x70b3a0, source=0x713da8, type=8792640) at ../jsinfer.cpp:824
Severity: normal → critical
Keywords: crash
Summary: TypeInference: type inference crash for "new Function.prototype" → TypeInference: type inference crash for "new Function.prototype" [@ TypeObject::getNewObject]
Version: unspecified → Trunk
|
||
Comment 1•14 years ago
|
||
timeless: This crash (and other issues blocking bug 608741) is in the Jaegermonkey branch, which is experimental code and won't be on trunk for a few months.
Severity: critical → normal
Version: Trunk → Other Branch
|
||
Updated•14 years ago
|
|
Reporter | |
Comment 2•14 years ago
|
||
The inference crash is gone, but now this asserts with -m: ./js -m js> new Function.prototype Assertion failure: analysis, at ../jsinferinlines.h:453
|
|
||
Comment 3•14 years ago
|
||
Yeah, bug 619271 made this almost not-broken, but we still weren't making analysis info for Function.prototype (these values are scripts, but are created in a different way from normal scripts). http://hg.mozilla.org/projects/jaegermonkey/rev/6ae854b6490f
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
|
|
||
Updated•13 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Comment 5•13 years ago
|
||
This rebroke with the scripted 'new' overhaul done as part of bug 619433, and unfortunately testing did not catch it (only breaks if -m is not used). The problem was that Function.prototype does not itself have a .prototype property (unlike all other scripts), and wasn't being special cased. http://hg.mozilla.org/projects/jaegermonkey/rev/479604222c8e
|
|
||
Updated•13 years ago
|
Status: REOPENED → RESOLVED
Closed: 14 years ago → 13 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Crash Signature: [@ TypeObject::getNewObject]
You need to log in
before you can comment on or make changes to this bug.
Description
•