Closed
Bug 643244
Opened 13 years ago
Closed 13 years ago
TI: Crash [@ js::types::TypeFailure] with missing type pushed inference failure
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: fixed-in-jaegermonkey)
Crash Data
delete(0).__proto__.valueOf
eval("(function(){(0).valueOf();<x/>})")()
crashes js debug and opt shells on JM changeset 5ce2f7a90286 with -m, -a and -n at js::types::TypeFailure and a message [infer failure] Missing type at #4:00004 pushed 0: Number:prototype:new
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
Reporter | |
Comment 1•13 years ago
|
||
Oops, this doesn't crash opt shells.
|
||
Comment 3•13 years ago
|
||
The type handler for Object.valueOf was broken when applied to primitive values. http://hg.mozilla.org/projects/jaegermonkey/rev/a0052afaf27f
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
|
||
Updated•13 years ago
|
Crash Signature: [@ js::types::TypeFailure]
|
||
Comment 4•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug643244.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•