Closed Bug 642422 Opened 13 years ago Closed 13 years ago

TI: [infer failure] Missing type at #3:00025 pushed 0: Global

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey) 

The following test case (run with -n -a) crashes on TI tip, tested on 64
bit:

gczeal(2);
var x;
var foo = "for (var z = 0; z < 2; ++z) { new Object(new String(this), x)}";
eval(foo);
During GC, we would clear type information for all eval scripts, including those on the stack, rather than only those pending destruction.  This fixes the script->isCachedEval flag to hold iff the script is in the compartment's scriptsToGC table.

http://hg.mozilla.org/projects/jaegermonkey/rev/7085463508ee
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug642422.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.