Closed Bug 639126 Opened 12 years ago Closed 12 years ago

TI: Missing type at #2:00029 pushed 0: Function:prototype:new

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey) 

Type inference branch becomes more stable every day, but there are still some asserts/crashes left. I will test without JM for now to find inference bugs first.
--
Array.__proto__ = Array.__proto__;
gc();
Array["name" + ""];
Array();
--
$ ./js -n -a test.js
[infer failure] Missing type at #2:00029 pushed 0: Function:prototype:new
(In reply to comment #0)
> Type inference branch becomes more stable every day, but there are still some
> asserts/crashes left. I will test without JM for now to find inference bugs
> first.

Sounds good.  As part of bug 619693 I'm going to add assertions to check the TypeObject property invariants on each set/get/defineProperty, which this and similar bugs should trip on even sooner and should also trip on when running with JM.
Hmm, this is a problem with mutable __proto__.  Since writing to __proto__ changes the type of an object, we handle this by marking the old and new types as having unknown properties and then treat such unknown objects as interchangeable within type sets.  The problem is that if the old type was collected due to no longer being used, no other unknown object was added to the set in its place to cover objects which originally had that old type. Yuck.

http://hg.mozilla.org/projects/jaegermonkey/rev/855c0198a515
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in before you can comment on or make changes to this bug.