Closed Bug 650148 Opened 13 years ago Closed 13 years ago

TI: [infer failure] Missing type in object Global s: float

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase) 

The following testcase crashes on TI revision dca50d9a5047 (run with -m -n -a),
tested on 32 and 64 bit:

summary=/(?!AB+D)AB/.exec("AB") + '';
try {
  var s = "throw 42";
} catch (e) {}
test();
function test() {
  [ {0xBe: /l/|| 'Error' ? s++ : summary } ]
}
function foo(code)
        Function(code)();
foo("for each (y in this);");
When handling overflows on INCLOCAL/ARG/GNAME, we didn't do anything if the pushed type set already contained the float type.  This is incorrect if that pushed type set was unified with another one due to the '?' operator.

http://hg.mozilla.org/projects/jaegermonkey/rev/f3a11a539c79
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug650148.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.