Closed Bug 641491 Opened 14 years ago Closed 14 years ago

TI+JM: crash [@js::types::TypeObject::name] or Assertion failure: type, at ../jsinfer.h:100

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(2 files)

Test case
239 bytes, application/x-javascript
Details
Valgrind output
3.31 KB, text/plain
Details
Running the attached file in a debug build with -n -a -m crashes most of the time: #0 0x00043575 in js::types::TypeObject::name (this=0x9) at jsinferinlines.h:1112 #1 0x000d8b24 in js::types::TypeString (type=9) at ../jsinfer.cpp:188 #2 0x000b78a4 in JSScript::typeSetArgument (this=0x715600, cx=0x70b4f0, arg=0, type=9) at jsinferinlines.h:631 #3 0x003331d4 in UncachedInlineCall (f=@0xbffff490, flags=0, pret=0xbffff41c, unjittable=0xbffff420, argc=1, argTypes=0x713b00) at ../methodjit/InvokeHelpers.cpp:369 #4 0x0033357e in js::mjit::stubs::UncachedCallHelper (f=@0xbffff490, argc=1, argTypes=0x713b00, ucr=0xbffff414) at ../methodjit/InvokeHelpers.cpp:488 Sometimes it asserts: Assertion failure: type, at ../jsinfer.h:100 And sometimes it gives the correct output: test.js:15: TypeError: invalid XML name f2[1]
Attached file Test case
Attached file Valgrind output
Bug 621942 updated call ICs to point to type information, but did not reorder things in JSCompartment::sweep, allowing the IC sweeping to access free data. http://hg.mozilla.org/projects/jaegermonkey/rev/0548f6d12aa6
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: