Closed Bug 617750 Opened 14 years ago Closed 14 years ago

TypeInference: Missing type at #1:00033 popped 0: RegExp:prototype:new

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

---
x = [].concat(/abc/).shift();
assertEq(x.source, "abc");
---
./js:
[infer failure] Missing type at #1:00023 popped 0: RegExp:prototype:new
Bus error

./js -m:
test.js:2: TypeError: x is undefined
These '[infer failure]' reports are bugs in the inference itself, and show up best when the interpreter is running (every value popped by a bytecode is checked against the inferred information for that stack slot, along with other checks for array denseness/packedness).  This shows up in this example because [].concat produces bytecode which the mjit doesn't compile and we fallback to the interpreter.  It might be good to also fuzz interpreter-only to test the inference more thoroughly.
The type modeling the behavior of Array.concat did not handle non-array arguments.

http://hg.mozilla.org/projects/jaegermonkey/rev/e074599afab9
Whiteboard: fixed-in-jaegermonkey
Er, type *handler*
Blocks: infer-regress
No longer blocks: TypeInference
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.