Last Comment Bug 657247 - TI: [infer failure] Missing type in object #2:9:Array 123\x00456: int
: TI: [infer failure] Missing type in object #2:9:Array 123\x00456: int
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-15 13:32 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:30 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Christian Holler (:decoder) 2011-05-15 13:32:42 PDT
The following testcase crashes on TI revision 693a36f402ee (run with -m -n -a),
tested on 64 bit:

a = new Array;
for (var i = 0; i != 1000; ++i) a[i] = 17;
var x = '123' + '\0' + '456';
(1, a[x], ': 123\\0456');
Comment 1 User image Brian Hackett (:bhackett) 2011-05-15 23:42:15 PDT
MakeTypeId has a loop similar to js_StringIsIndex testing for strings which should be represented by the aggregate id for integer indexes.  The two behaved differently on strings containing nulls (did this change on TM recently?  I made sure there was a correspondence when writing MakeTypeId).  Would be nice to remove the duplicate code and make MakeTypeId simpler, but I'd like to have the property that all integers and strings representing integers (including negative integers) map to the same type ID.  Need to think about this some more.
Comment 2 User image Jan de Mooij [:jandem] 2011-05-16 00:30:44 PDT
I think this is actually a TM bug, I filed bug 653175 a few weeks ago. Once that bug is fixed we'll get a new inference failure though, so it's not a big problem and at least we're more consistent now.
Comment 3 User image Christian Holler (:decoder) 2013-01-14 08:30:33 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug657247.js.

Note You need to log in before you can comment on or make changes to this bug.