Closed Bug 648999 Opened 13 years ago Closed 13 years ago

TI: Crash in mjit-generated code

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase) 

The following testcase crashes on TI revision 74a8fb1bbec5 (run with -m -n -a), tested on 64 bit:

test();
function test()
{
  for (var j = 0; j < 10; ++j) new j;
}
If the called function is a known primitive but a copy of something else, we tried to forget its type but screwed that up, and didn't generate a test for an object later.  Comments: syncAndForgetFe should forget if the fe is a copy (need to look at its other calls), and we should assert when trying to write the data/type info for entries which are copies of other entries (added asserts recently if we read this info).

http://hg.mozilla.org/projects/jaegermonkey/rev/265baede77e3
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.