Closed
Bug 641491
Opened 13 years ago
Closed 13 years ago
TI+JM: crash [@js::types::TypeObject::name] or Assertion failure: type, at ../jsinfer.h:100
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: jandem, Unassigned)
References
Details
(Whiteboard: fixed-in-jaegermonkey)
Attachments
(2 files)
Running the attached file in a debug build with -n -a -m crashes most of the time: #0 0x00043575 in js::types::TypeObject::name (this=0x9) at jsinferinlines.h:1112 #1 0x000d8b24 in js::types::TypeString (type=9) at ../jsinfer.cpp:188 #2 0x000b78a4 in JSScript::typeSetArgument (this=0x715600, cx=0x70b4f0, arg=0, type=9) at jsinferinlines.h:631 #3 0x003331d4 in UncachedInlineCall (f=@0xbffff490, flags=0, pret=0xbffff41c, unjittable=0xbffff420, argc=1, argTypes=0x713b00) at ../methodjit/InvokeHelpers.cpp:369 #4 0x0033357e in js::mjit::stubs::UncachedCallHelper (f=@0xbffff490, argc=1, argTypes=0x713b00, ucr=0xbffff414) at ../methodjit/InvokeHelpers.cpp:488 Sometimes it asserts: Assertion failure: type, at ../jsinfer.h:100 And sometimes it gives the correct output: test.js:15: TypeError: invalid XML name f2[1]
|
Reporter | |
Comment 1•13 years ago
|
||
|
|
Reporter | |
Comment 2•13 years ago
|
||
|
||
Comment 3•13 years ago
|
||
Bug 621942 updated call ICs to point to type information, but did not reorder things in JSCompartment::sweep, allowing the IC sweeping to access free data. http://hg.mozilla.org/projects/jaegermonkey/rev/0548f6d12aa6
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
You need to log in
before you can comment on or make changes to this bug.
Description
•