Closed Bug 621292 Opened 14 years ago Closed 13 years ago

TypeInference: ES5 test suite failures with type inference

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey) 

I didn't find any extra test failures, but some tests crash:

1) crashes interpreter:
---
function f() {
    eval("function foo(arguments){};");
}
f();
---
0x00326777 in js::analyze::Script::getGlobal (this=0x715710) at jsinferinlines.h:688
688	        if (nested->analysis->global) {

("nested" is NULL here)

2) Asserts with -m:
---
function f(a,b,c) {
    a = 1; b = 'str'; c = 2.1;
    return arguments[0];
}
assertEq(f(10,'sss',1), 1);
---
Assertion failure: arg->data.inMemory(), at ../methodjit/FrameState.cpp:1960

3) Crashes with -m (tests run in the same process, this is a combination of two different tests):
---
function callbackfn(val, idx, obj) {
    srcArr[2] = 3;    
    return true;
}
Array.prototype[4] = 5;
delete Array.prototype[4];

var srcArr = [1,2,,4,5];
var resArr = srcArr.filter(callbackfn);
assertEq(resArr[2], 3);
---
Also crashes with map, reduce, etc.
1) is asserting in the scope-handling code, which has been ripped out now.  2) has an escaping float argument fixed by rev 228e319574f9 (cset below adds a test).  3) is a deliberate crash by InvokeSession when the callee causes itself to get recompiled.  While this doesn't trigger anymore, InvokeSession needs an additional check to watch for cases where side effects made while not invoking cause the callee to get recompiled.  That is fixed (with test) by the below cset.

http://hg.mozilla.org/projects/jaegermonkey/rev/4f211b4f1b30
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in before you can comment on or make changes to this bug.