Closed Bug 641235 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::types::TypeFailure] due to Unknown bytecode: casex

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Crash Data

function g(code) {
    code = code.replace(/\/\*DUPTRY\d+\*\//, function(k) {
        var n = parseInt(k.substr(8), 10);
        return aa("try{}catch(e){}", n);
    });
    var f = new Function(code);
    f()
}
function aa(s, n) {
    if (n == 1) {
        return s;
    }
    var s2 = s + s;
    var r = n % 2;
    var d = (n - r) / 2;
    var m = aa(s2, d);
    return r ? m + s : m;
}
g("switch(x){default:case l:/*DUPTRY5338*/case 0:x}");

crashes js debug and opt shells on JM changeset bcf148dbce2f with -m, -a and -n at:

[infer failure] Unknown bytecode: casex
Segmentation fault
Oops, inference didn't handle CASEX or DEFAULTX when modeling type effects.

http://hg.mozilla.org/projects/jaegermonkey/rev/f70363576e62
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Crash Signature: [@ js::types::TypeFailure]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug641235.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.