Last Comment Bug 658539 - TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new or Number:prototype:new
: TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00019 pushe...
Status: RESOLVED FIXED
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: ---
Assigned To: general
:
:
Mentors:
Depends on:
Blocks: jsfunfuzz js-differential-test infer-regress
  Show dependency treegraph
 
Reported: 2011-05-20 08:14 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-14 08:27 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Gary Kwong [:gkw] [:nth10sd] 2011-05-20 08:14:58 PDT 
with(newGlobal('same-compartment'))
new ArrayBuffer()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new

with(newGlobal('same-compartment'))
new Number()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: Number:prototype:new
Comment 1 Brian Hackett (:bhackett) 2011-05-21 06:49:11 PDT 
Type handlers for natives which construct objects sometimes based their result on the native's global and sometimes on the calling script's global.  TM's behavior here is normally wrong anyways (bug 631135), but TI needs to be consistent with TM and the simple way to do that is to mark the results of these cross-global native calls as unknown.

http://hg.mozilla.org/projects/jaegermonkey/rev/33f1ad45ccb8
Comment 2 Christian Holler (:decoder) 2013-01-14 08:27:18 PST 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug658539.js.
Note You need to log in before you can comment on or make changes to this bug.