642146 - JM: Crash [infer failure] Missing type in object #2:1:Object prototype: Error:prototype

Status: RESOLVED WORKSFORME

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test case (run with -n -a -m) crashes on JM tip (tested on 64 bit):


try {
    new {prototype: TypeError.prototype};
} catch (e) {}


Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7f7dfbb1e720 (LWP 578)]
0x00000000004e0ef3 in js::types::TypeFailure (cx=0x2308be0, fmt=0x7a4d00 "Missing type in object %s %s: %s") at jsinfer.cpp:288
288         *((int*)NULL) = 0;  /* Type warnings */
(gdb) bt
#0  0x00000000004e0ef3 in js::types::TypeFailure (cx=0x2308be0, fmt=0x7a4d00 "Missing type in object %s %s: %s") at jsinfer.cpp:288
#1  0x00000000004e0d6c in js::types::TypeHasProperty (cx=0x2308be0, obj=0x23771d0, id={asBits = 140179046141568}, value=@0x7fff1353b760) at jsinfer.cpp:266
#2  0x00000000004128ca in JSObject::getProperty (this=0x7f7dfa40f108, cx=0x2308be0, receiver=0x7f7dfa40f108, id={asBits = 140179046141568}, vp=0x7fff1353b760) at ./jsobj.h:1237
#3  0x000000000041292f in JSObject::getProperty (this=0x7f7dfa40f108, cx=0x2308be0, id={asBits = 140179046141568}, vp=0x7fff1353b760) at ./jsobj.h:1242
#4  0x000000000051b002 in js_CreateThis (cx=0x2308be0, callee=0x7f7dfa40f108) at jsobj.cpp:2924
#5  0x00000000004f9857 in js::InvokeConstructor (cx=0x2308be0, argsRef=@0x7fff1353b840) at jsinterp.cpp:1287
#6  0x00000000007103c5 in js::mjit::stubs::SlowNew (f=@0x7fff1353b8c0, argc=0) at ./methodjit/InvokeHelpers.cpp:206
#7  0x00000000006efc66 in js::mjit::ic::NativeNew (f=@0x7fff1353b8c0, ic=0x2381ac8) at ./methodjit/MonoIC.cpp:1056
#8  0x00007f7dfa5bd42d in ?? ()
#9  0x00007f7dfa5bd068 in ?? ()
#10 0x0000000002381780 in ?? ()
#11 0x0000000000000000 in ?? ()

Comment 1

[Brian Hackett [Laid off!]]

Works for me now, probably fixed by the below cset (this test is derived from a jstest that was itself broken this morning).

http://hg.mozilla.org/projects/jaegermonkey/rev/cf686d29779c