Closed
Bug 657975
Opened 12 years ago
Closed 12 years ago
TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string, with trap
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: crash, testcase)
Crash Data
function f(){ "use strict"; options('strict'); }
dis(f)
trap(f, 0, '')
f()
crashes js debug shell on JM changeset 5d1cbc94bc42 with -d, -a and -n at js::types::TypeFailure with the message:
[infer failure] Missing type at #2:00008 pushed 0: string
|
Reporter | |
Comment 1•12 years ago
|
||
flags: NULL_CLOSURE off op ----- -- main: 00000: callname "options" <-- trap goes here 00005: string "strict" 00008: call 1 00011: pop 00012: stop Source notes: ofs line pc delta desc args ---- ---- ----- ------ -------- ------ 0: 1 8 [ 8] xdelta 1: 1 8 [ 0] pcbase offset 8 [infer failure] Missing type at #2:00008 pushed 0: string
|
|
Reporter | |
Updated•12 years ago
|
Summary: TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string → TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00008 pushed 0: string, with trap
|
||
Comment 2•12 years ago
|
||
The trap at the CALLNAME caused us to process it incorrectly and not mark the result which the interpreter pushed. Lots of possible problems with traps in analysis and inference code, for the below revision went through pc dereferences in these files and either added untraps or asserted trap-ness (in cases where the caller must untrap). http://hg.mozilla.org/projects/jaegermonkey/rev/176ee6b37ad0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Crash Signature: [@ js::types::TypeFailure]
|
||
Comment 3•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657975.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•