Closed Bug 673766 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::types::TypeSet::isOwnProperty]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 9b9fd467eb5f (run with -j -m -n -a), tested on 64 bit: function TestCase(n, d, e, a) { this.name = n this.description = d } function reportCompare(expected, actual, description) { new TestCase } var actual = ''; var expect = ''; for (var i = 0; i < 2; ++i) reportCompare(expect, actual, ': 2'); try { ({ valueOf: gc } - []) } catch (prop) {} function addThis() reportCompare(expect, actual, 'RegExp.multiline = 17'); Object.defineProperty(Object.prototype, "name", { set: function (newValue) {} }); addThis()
Crash Signature: [@ js::types::TypeSet::isOwnProperty]
After GC we now clear all constraints, including those which control the correctness of newScript information, so need to regenerate those constraints the first time compiled code depends on the info. The newScript information may have been cleared entirely in the interim though, so we need to check it against NULL, and the (braindead) error was that the newScript was then dereferenced anyways. http://hg.mozilla.org/projects/jaegermonkey/rev/359730f0730c
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug673766.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.