Closed Bug 641231 Opened 13 years ago Closed 13 years ago

TI: Crash [@ js::types::TypeFailure]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

Function("function a(){this(*)}new a")()

crashes js debug shells on JM changeset bcf148dbce2f with -m, -a and -n at:

[infer failure] Missing type at #3:00000 pushed 0: Function:prototype:new:prototype:new
Segmentation fault
Nice, bugs here from both the scripted 'new' changes in bug 619433 and from bug 621942.  Normally we want to ensure that function objects with the same getFunctionPrivate have the same type (modulo mutable __proto__, oi).  This doesn't hold for non-compileAndGo code, and we needed to account for that when computing the possible 'new' objects of a script.  The second bug is that the call IC code did not always mark scripts which have been called with 'new'.

http://hg.mozilla.org/projects/jaegermonkey/rev/1ce8efbb75cc
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Crash Signature: [@ js::types::TypeFailure]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug641231.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.