Closed Bug 658539 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new or Number:prototype:new

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 3 open bugs)

Details

(Keywords: crash, testcase)

Crash Data

with(newGlobal('same-compartment'))
new ArrayBuffer()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new

with(newGlobal('same-compartment'))
new Number()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: Number:prototype:new
Type handlers for natives which construct objects sometimes based their result on the native's global and sometimes on the calling script's global.  TM's behavior here is normally wrong anyways (bug 631135), but TI needs to be consistent with TM and the simple way to do that is to mark the results of these cross-global native calls as unknown.

http://hg.mozilla.org/projects/jaegermonkey/rev/33f1ad45ccb8
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeFailure]
Blocks: 349611
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug658539.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.