Closed Bug 657247 Opened 14 years ago Closed 14 years ago

TI: [infer failure] Missing type in object #2:9:Array 123\x00456: int

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

The following testcase crashes on TI revision 693a36f402ee (run with -m -n -a), tested on 64 bit: a = new Array; for (var i = 0; i != 1000; ++i) a[i] = 17; var x = '123' + '\0' + '456'; (1, a[x], ': 123\\0456');
MakeTypeId has a loop similar to js_StringIsIndex testing for strings which should be represented by the aggregate id for integer indexes. The two behaved differently on strings containing nulls (did this change on TM recently? I made sure there was a correspondence when writing MakeTypeId). Would be nice to remove the duplicate code and make MakeTypeId simpler, but I'd like to have the property that all integers and strings representing integers (including negative integers) map to the same type ID. Need to think about this some more. http://hg.mozilla.org/projects/jaegermonkey/rev/6d27f6e4e07a
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
I think this is actually a TM bug, I filed bug 653175 a few weeks ago. Once that bug is fixed we'll get a new inference failure though, so it's not a big problem and at least we're more consistent now.
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug657247.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.