Hit MOZ_CRASH(Types should be in accordance.) at jit/TypePolicy.cpp:872 or Crash [@ js::jit::FilterTypeSetPolicy::adjustInputs]

RESOLVED FIXED in Firefox 35

Status

()

defect
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: h4writer)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla35
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox35 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect], crash signature)

Attachments

(2 attachments)

The following testcase crashes on mozilla-central revision e4cfacb76830 (run with --no-threads --fuzzing-safe --ion-eager):


function foo() {
  for(__key in null)
    var key=startTest(VERSION) ? this : this;
  if (key !== undefined) {}
} foo();
It looks like the opt-crash also hits a MOZ_CRASH but doesn't output a message (just crashes at NULL). Marked this s-s until triaged because the debug message indicates some form of type mismatch.
Whiteboard: [jsbugmon:update,bisect]
A crash place I added a few days ago.
Flags: needinfo?(hv1989)
Posted patch PatchSplinter Review
This can happen if we haven't seen the type of that branch yet. So we will have to add this code to force a bail here.
Assignee: nobody → hv1989
Attachment #8501835 - Flags: review?(jdemooij)
Flags: needinfo?(hv1989)
Attachment #8501835 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/790c862b4c2a
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Blocks: 1073861
Not ss
Group: core-security
You need to log in before you can comment on or make changes to this bug.