Closed
Bug 621522
Opened 14 years ago
Closed 14 years ago
TypeInference: JM: crash when accessing property of undefined variable
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Assigned: jandem)
References
Details
(Whiteboard: fixed-in-jaegermonkey)
Attachments
(1 file, 1 obsolete file)
1.33 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
This crashes with -m: --- function f() { var x; x.a; x = {}; } f(); ---
Comment 1•14 years ago
|
||
WFM? (JM branch, js-dbg-32-f405f5f83fbe-darwin)
Comment 2•14 years ago
|
||
Oh, i needed to build with --enable-type-inference. The first bad revision is: changeset: 0cd7e38f0b39 user: Brian Hackett date: Fri Oct 29 08:05:55 2010 -0700 summary: [INFER] Javascript type inference, bug 557407.
Assignee | ||
Comment 3•14 years ago
|
||
This patch adds JSOP_GETLOCALPROP to the use-before-def analysis; this fixes the crash and passes jit-tests. If you think this patch is correct we should probably also review the other JSOP_*LOCAL* opcodes.
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #500038 -
Flags: review?(bhackett1024)
Assignee | ||
Comment 4•14 years ago
|
||
Oops, I missed the other JSOP_*LOCAL opcodes in the switch, should just add it there. Do we need to land this on tracemonkey as well? I couldn't reproduce the crash there though.
Attachment #500038 -
Attachment is obsolete: true
Attachment #500042 -
Flags: review?(bhackett1024)
Attachment #500038 -
Flags: review?(bhackett1024)
Comment 5•14 years ago
|
||
Comment on attachment 500042 [details] [diff] [review] Fix looks good, should be able to push this tonight (traveling; also, not sure you know, I will be traveling and mostly unavailable all of january and february). This should also go on TM, but is not super critical there as this analysis is only used if trace hints are disabled.
Attachment #500042 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 6•14 years ago
|
||
(In reply to comment #5) > looks good, should be able to push this tonight (traveling; also, not sure you > know, I will be traveling and mostly unavailable all of january and february). > Have a nice trip - let me know if you're coming to Amsterdam ;). Just curious, does this mean the JM branch will be inactive the coming two months? Or is someone else planning to do occasional merges/bugfixes?
Comment 7•14 years ago
|
||
The JM branch will probably be inactive until Firefox 4 wraps up, but should be getting some merge, bugfix, review and (maybe) feature work afterwards. We want the stuff currently in JM to be shippable for Firefox 5, which would mean things need to be in good shape by (I think) the end of March. I'll be biking around New Zealand; hopefully can get to Europe before too long!
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•