Closed Bug 684281 Opened 13 years ago Closed 13 years ago

Assertion failure: [infer failure] Missing type in object [0x7fc592604680] (index): int, at jsinfer.cpp:341

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

patch
4.47 KB, patch
billm
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision fcca99426576 (run with -m -n -a), tested on 64 bit:


function printStatus (msg) {}
F = function () {};
F.prototype = new Int32Array(1);
o = new F();
function f2(o){ 
	with(this) 
	for(var x in o) 
	printStatus(o[x]); 
}
f2([]);
One more question to this test: I remember that at some point, infer failures were critical, as in, we cannot continue, therefore we abort (either through assertion or controlled crash, which we changed a while ago). This test doesn't do anything for optimized builds, is that intended behavior?
The [infer failure] generally reflects that the core TI invariant, that the known types reflect the state of the world, is violated.  It does not mean we will crash later, but if we *do* crash it will probably be hard to track down the underlying cause.
Attached patch patchSplinter Review 
Bogus assert.  Property type sets are not correct for objects with a class getter op, but we would still assert correctness for accesses on native objects which inherit properties from such objects.

Most of this patch is fixing Diassemble so that it can be called while iterating over scripts (and which I noticed while investigating this).  This broke after the recent CellIter changes in the GC (though I think that CellIter was correct to break this, as Disassemble shouldn't be allocating GC things while traversing arenas).
Attachment #558013 - Flags: review?(wmccloskey)
http://hg.mozilla.org/mozilla-central/rev/53e25966f155
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment on attachment 558013 [details] [diff] [review]
patch

I guess this landed already.

It would be nice if there were a better way to do this, but I can't think of any.
Attachment #558013 - Flags: review?(wmccloskey) → review+
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: