TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string, with trap

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
function f(){ "use strict"; options('strict'); }
dis(f)
trap(f, 0, '')
f()

crashes js debug shell on JM changeset 5d1cbc94bc42 with -d, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00008 pushed 0: string
(Reporter)

Comment 1

6 years ago
flags: NULL_CLOSURE
off     op
-----   --
main:
00000:  callname "options"              <-- trap goes here
00005:  string "strict"
00008:  call 1
00011:  pop
00012:  stop

Source notes:
 ofs  line    pc  delta desc     args
---- ---- ----- ------ -------- ------
  0:    1     8 [   8] xdelta  
  1:    1     8 [   0] pcbase   offset 8

[infer failure] Missing type at #2:00008 pushed 0: string
(Reporter)

Updated

6 years ago
Summary: TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string → TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string, with trap
The trap at the CALLNAME caused us to process it incorrectly and not mark the result which the interpreter pushed.  Lots of possible problems with traps in analysis and inference code, for the below revision went through pc dereferences in these files and either added untraps or asserted trap-ness (in cases where the caller must untrap).

http://hg.mozilla.org/projects/jaegermonkey/rev/176ee6b37ad0
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeFailure]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657975.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.