Closed Bug 621522 Opened 14 years ago Closed 14 years ago

TypeInference: JM: crash when accessing property of undefined variable

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: jandem, Assigned: jandem)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file, 1 obsolete file)

This crashes with -m:
---
function f() {
    var x;
    x.a;
    x = {};
}
f();
---
WFM? (JM branch, js-dbg-32-f405f5f83fbe-darwin)
Oh, i needed to build with --enable-type-inference.

The first bad revision is:
changeset:   0cd7e38f0b39
user:        Brian Hackett
date:        Fri Oct 29 08:05:55 2010 -0700
summary:     [INFER] Javascript type inference, bug 557407.
Attached patch Fix (obsolete) — Splinter Review
This patch adds JSOP_GETLOCALPROP to the use-before-def analysis; this fixes the crash and passes jit-tests. If you think this patch is correct we should probably also review the other JSOP_*LOCAL* opcodes.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #500038 - Flags: review?(bhackett1024)
Attached patch FixSplinter Review
Oops, I missed the other JSOP_*LOCAL opcodes in the switch, should just add it there. Do we need to land this on tracemonkey as well? I couldn't reproduce the crash there though.
Attachment #500038 - Attachment is obsolete: true
Attachment #500042 - Flags: review?(bhackett1024)
Attachment #500038 - Flags: review?(bhackett1024)
Comment on attachment 500042 [details] [diff] [review]
Fix

looks good, should be able to push this tonight (traveling; also, not sure you know, I will be traveling and mostly unavailable all of january and february).

This should also go on TM, but is not super critical there as this analysis is only used if trace hints are disabled.
Attachment #500042 - Flags: review?(bhackett1024) → review+
(In reply to comment #5)
> looks good, should be able to push this tonight (traveling; also, not sure you
> know, I will be traveling and mostly unavailable all of january and february).
> 

Have a nice trip - let me know if you're coming to Amsterdam ;). Just curious, does this mean the JM branch will be inactive the coming two months? Or is someone else planning to do occasional merges/bugfixes?
The JM branch will probably be inactive until Firefox 4 wraps up, but should be getting some merge, bugfix, review and (maybe) feature work afterwards.  We want the stuff currently in JM to be shippable for Firefox 5, which would mean things need to be in good shape by (I think) the end of March.

I'll be biking around New Zealand; hopefully can get to Europe before too long!
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: