TypeInference: JM: crash when accessing property of undefined variable

RESOLVED FIXED

Status

()

RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: jandem, Assigned: jandem)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

8 years ago
This crashes with -m:
---
function f() {
    var x;
    x.a;
    x = {};
}
f();
---

Comment 1

8 years ago
WFM? (JM branch, js-dbg-32-f405f5f83fbe-darwin)

Comment 2

8 years ago
Oh, i needed to build with --enable-type-inference.

The first bad revision is:
changeset:   0cd7e38f0b39
user:        Brian Hackett
date:        Fri Oct 29 08:05:55 2010 -0700
summary:     [INFER] Javascript type inference, bug 557407.
(Assignee)

Comment 3

8 years ago
Created attachment 500038 [details] [diff] [review]
Fix

This patch adds JSOP_GETLOCALPROP to the use-before-def analysis; this fixes the crash and passes jit-tests. If you think this patch is correct we should probably also review the other JSOP_*LOCAL* opcodes.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #500038 - Flags: review?(bhackett1024)
(Assignee)

Comment 4

8 years ago
Created attachment 500042 [details] [diff] [review]
Fix

Oops, I missed the other JSOP_*LOCAL opcodes in the switch, should just add it there. Do we need to land this on tracemonkey as well? I couldn't reproduce the crash there though.
Attachment #500038 - Attachment is obsolete: true
Attachment #500042 - Flags: review?(bhackett1024)
Attachment #500038 - Flags: review?(bhackett1024)
Comment on attachment 500042 [details] [diff] [review]
Fix

looks good, should be able to push this tonight (traveling; also, not sure you know, I will be traveling and mostly unavailable all of january and february).

This should also go on TM, but is not super critical there as this analysis is only used if trace hints are disabled.
Attachment #500042 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 6

8 years ago
(In reply to comment #5)
> looks good, should be able to push this tonight (traveling; also, not sure you
> know, I will be traveling and mostly unavailable all of january and february).
> 

Have a nice trip - let me know if you're coming to Amsterdam ;). Just curious, does this mean the JM branch will be inactive the coming two months? Or is someone else planning to do occasional merges/bugfixes?
The JM branch will probably be inactive until Firefox 4 wraps up, but should be getting some merge, bugfix, review and (maybe) feature work afterwards.  We want the stuff currently in JM to be shippable for Firefox 5, which would mean things need to be in good shape by (I think) the end of March.

I'll be biking around New Zealand; hopefully can get to Europe before too long!
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in before you can comment on or make changes to this bug.