Closed
Bug 465454
Opened 16 years ago
Closed 16 years ago
TM: Crash [@ JITted code] with this type-unstable loop
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
People
(Reporter: jruderman, Assigned: brendan)
Details
(Keywords: crash, testcase, verified1.9.1, Whiteboard: [fixed by 465460])
Crash Data
for each (let b in [(-1/0), new String(''), new String(''), null, (-1/0), (-1/0), new String(''), new String(''), null]) '' + b;
Assignee | ||
Comment 1•16 years ago
|
||
This is due to classifying null as object when tracing and in typemaps. We need to null-guard, which is another branch test for a rare hard case. I think it is better to classify null as a distinct type. undefined arguably should be its own trace typemap type too, but at least it's lumped into boolean. Imagine if it were included in object -- that's analogous to what we do with null. /be
Assignee | ||
Updated•16 years ago
|
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1
Reporter | ||
Comment 2•16 years ago
|
||
Would it make sense to group null and undefined together as one tracing type?
Reporter | ||
Updated•16 years ago
|
Summary: Crash [@ JITted code] with this type-unstable loop → TM: Crash [@ JITted code] with this type-unstable loop
Updated•16 years ago
|
Flags: blocking1.9.1+
Reporter | ||
Comment 3•16 years ago
|
||
No longer crashes. Instead, incorrectly throws "TypeError: b is null" (only with JIT on).
Assignee | ||
Comment 4•16 years ago
|
||
WFM now that bug 465460 is fixed. /be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 5•15 years ago
|
||
Adding fixed1.9.1 as bug 465460 is fixed1.9.1
Keywords: fixed1.9.1
Whiteboard: [fixed by 465460]
Comment 6•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/120c1d9f7821
Flags: in-testsuite+
Flags: in-litmus-
Comment 7•15 years ago
|
||
js1_8/regress/regress-465454.js v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
Updated•13 years ago
|
Crash Signature: [@ JITted code]
You need to log in
before you can comment on or make changes to this bug.
Description
•