Closed
Bug 640098
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ js::types::TypeFailure] with function, eval
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)
Crash Data
Attachments
(1 file)
|
1.40 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
eval("(function(){({6953421313:0})})")()
crashes js debug shell on JM changeset adc45b0a01c8 at js::types::TypeFailure with -m, -n and -a and shows:
[infer failure] Missing type in object #3:0:Object (index): int
It shows string instead of int if 0 is changed to \"\".
|
Assignee | |
Comment 1•13 years ago
|
||
Looks like we're missing a call to typeMonitorAssign in stubs::InitElem (the interpreter has it too)
Assignee: general → jandemooij
Status: NEW → ASSIGNED
Attachment #518034 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #518034 -
Flags: review?(bhackett1024) → review+
|
|
||
Comment 2•13 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/acd2e423b6e1 Followup fix to remove the inference state tracking stack entries which are constant doubles (unlike integers, different doubles can map to different type properties. This code was fragile (e.g. bug 640078) and in this case wrong (not calling MakeTypeId) and it's simpler to just use dynamic monitoring to catch this oddball case. http://hg.mozilla.org/projects/jaegermonkey/rev/db22345e7c04
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
|
||
Updated•13 years ago
|
Crash Signature: [@ js::types::TypeFailure]
|
||
Comment 4•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug640098.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•