TI: Crash [@ js::types::TypeFailure] involving missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new or Number:prototype:new

RESOLVED FIXED

Status

()

Product:
Core
Component:
JavaScript Engine
--
critical
RESOLVED FIXED
Reported:
6 years ago
Modified:
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 3 bugs, {crash, testcase})

Version:
Trunk
x86
Linux
Keywords:
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago 
with(newGlobal('same-compartment'))
new ArrayBuffer()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: ArrayBuffer:prototype:new

with(newGlobal('same-compartment'))
new Number()

crashes js debug shell on JM changeset aec367836312 with -m, -a and -n at js::types::TypeFailure with the message:

[infer failure] Missing type at #2:00019 pushed 0: Number:prototype:new

Comment 1

6 years ago 
Type handlers for natives which construct objects sometimes based their result on the native's global and sometimes on the calling script's global.  TM's behavior here is normally wrong anyways (bug 631135), but TI needs to be consistent with TM and the simple way to do that is to mark the results of these cross-global native calls as unknown.

http://hg.mozilla.org/projects/jaegermonkey/rev/33f1ad45ccb8
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeFailure]
 (Reporter)

Updated

6 years ago
Blocks: 349611

Comment 2

5 years ago 
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug658539.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.