TypeInference: type inference crash for "new Function.prototype" [@ TypeObject::getNewObject]

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
7 years ago

People

(Reporter: jandem, Unassigned)

Tracking

(Blocks: 1 bug, {crash})

Other Branch
x86
Mac OS X
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey, crash signature)

(Reporter)

Description

8 years ago
This crashes in the type inference code:
---
./js 
js> new Function.prototype
Bus error
---
Top of stack:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c
0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966
1966	    if (newObject)
(gdb) bt
#0  0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966
#1  0x0031dbf9 in js::types::TypeConstraintCall::newType (this=0x713ff0, cx=0x70b3a0, source=0x713da8, type=8792640) at ../jsinfer.cpp:824

Updated

8 years ago
Severity: normal → critical
Keywords: crash
Summary: TypeInference: type inference crash for "new Function.prototype" → TypeInference: type inference crash for "new Function.prototype" [@ TypeObject::getNewObject]
Version: unspecified → Trunk
timeless: This crash (and other issues blocking bug 608741) is in the Jaegermonkey branch, which is experimental code and won't be on trunk for a few months.
Severity: critical → normal
Version: Trunk → Other Branch
Blocks: 619415
No longer blocks: 608741
(Reporter)

Comment 2

7 years ago
The inference crash is gone, but now this asserts with -m:

./js -m
js> new Function.prototype
Assertion failure: analysis, at ../jsinferinlines.h:453
Yeah, bug 619271 made this almost not-broken, but we still weren't making analysis info for Function.prototype (these values are scripts, but are created in a different way from normal scripts).

http://hg.mozilla.org/projects/jaegermonkey/rev/6ae854b6490f
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Duplicate of this bug: 641108
This rebroke with the scripted 'new' overhaul done as part of bug 619433, and unfortunately testing did not catch it (only breaks if -m is not used).  The problem was that Function.prototype does not itself have a .prototype property (unlike all other scripts), and wasn't being special cased.

http://hg.mozilla.org/projects/jaegermonkey/rev/479604222c8e
Status: REOPENED → RESOLVED
Last Resolved: 7 years ago7 years ago
Resolution: --- → FIXED
Crash Signature: [@ TypeObject::getNewObject]
You need to log in before you can comment on or make changes to this bug.