Closed Bug 1079850 Opened 11 years ago Closed 11 years ago

Hit MOZ_CRASH(Types should be in accordance.) at jit/TypePolicy.cpp:872 or Crash [@ js::jit::FilterTypeSetPolicy::adjustInputs]

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35
Tracking Flags:
Tracking Status
firefox35 --- fixed

People

(Reporter: decoder, Assigned: h4writer)

References

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update,bisect])

Crash Data

Attachments

(2 files)

[crash-signature] Machine-readable crash signature
992 bytes, text/plain
Details
Patch
1.51 KB, patch
jandem
: review+
Details | Diff | Splinter Review
The following testcase crashes on mozilla-central revision e4cfacb76830 (run with --no-threads --fuzzing-safe --ion-eager): function foo() { for(__key in null) var key=startTest(VERSION) ? this : this; if (key !== undefined) {} } foo();
It looks like the opt-crash also hits a MOZ_CRASH but doesn't output a message (just crashes at NULL). Marked this s-s until triaged because the debug message indicates some form of type mismatch.
status-firefox35: --- → affected
Whiteboard: [jsbugmon:update,bisect]
A crash place I added a few days ago.
Flags: needinfo?(hv1989)
Attached patch PatchSplinter Review
This can happen if we haven't seen the type of that branch yet. So we will have to add this code to force a bail here.
Assignee: nobody → hv1989
Attachment #8501835 - Flags: review?(jdemooij)
Flags: needinfo?(hv1989)
Attachment #8501835 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/790c862b4c2a
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox35: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
Blocks: 1073861
Not ss
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: