Closed Bug 642154 Opened 9 years ago Closed 9 years ago

JM: Crash [infer failure] Missing type at #2:00013 pushed 0: float

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

The following test case (run with -n -a) crashes on JM tip (tested on 64
bit):

Math.pow(1, /strict/.POSITIVE_INFINITY);
Probably something I can fix.
Status: NEW → ASSIGNED
Attached patch PatchSplinter Review
TI's arithmetic handler treats undefined as int-like and pow(1, undefined) is inferred as integer. ValueToNumber converts undefined to NaN though and the fast path for pow(1, x) has to call markTypeCallerOverflow.

Another fix is to add an undefined check to "if (argc <= 1)" but I think this is more future-proof (undefined can also come from valueOf).
Assignee: general → jandemooij
Attachment #519716 - Flags: review?(bhackett1024)
Another fix is to make TypeConstraintArith::newType treat TYPE_UNDEFINED like TYPE_DOUBLE. What do you think?
Attachment #519716 - Flags: review?(bhackett1024) → review+
The idea behind the current behavior of TypeConstraintArith is that even if we add undefined to the type set of a variable, we presume that no undefined value will actually be used in arithmetic, and no NaN value will be produced.  This keeps us from marking the result of the Math.pow as a double if it will always in practice be an integer.  We just need to make sure that markTypeCallerOverflow is actually called every time an undefined value is passed in.
http://hg.mozilla.org/projects/jaegermonkey/rev/4f98173f211a
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642154.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.