Closed Bug 675889 Opened 9 years ago Closed 9 years ago

TI: Crash [@ js::types::TypeObject::setFlags]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Crash Data

The following testcase crashes on TI revision 674160662e80 (run with -j -m -n -a), tested on 64 bit:


function checkMethods(proto) {
    var names = Object.getOwnPropertyNames(proto);
    for (var i = 0; i < names.length; i++) {
        var name = names[i];
        var prop = proto[name];
    }
}
checkMethods(Function.prototype);
The type information for Function.prototype was missing a pointer to the associated JSFunction's script. Function.prototype is initialized differently from other scripted functions, it is created, has its type set and then sometime later has its script constructed.  This latter update needed to fill in the script on the type as well.

http://hg.mozilla.org/projects/jaegermonkey/rev/91281c11a122
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Blocks: 676763
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug675889.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.