Closed Bug 639759 Opened 13 years ago Closed 13 years ago

TI: scripts hangs with type inference enabled

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

Test
186 bytes, application/x-javascript
Details
Attached file Test 
Attached file hangs for me with -n -a or -m -n -a.
Sharks says all time is spent under js::types::CondenseTypeObjectList.
Ooof, under DestroyScript we used the compartment associated with the cx rather than the script.  cx->compartment is usually totally wrong (big pitfall imo for GC code) so type objects created in one compartment get entrained on another compartment and chaos ensues.

http://hg.mozilla.org/projects/jaegermonkey/rev/75d5794ab88a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
On TM, we set cx->compartment to NULL during GC. That should catch things like this. You might want to merge that line over to JM.
Hmm, I did a TM -> JM merge last week and picked up that change (SwitchToCompartment(NULL) in GCUntilDone, right?).  Unfortunately that didn't catch this use due to a quirk of C++ semantics, which I filed bug 639954 for.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: