Closed Bug 1237998 Opened 10 years ago Closed 10 years ago

Assertion failure: [infer failure] Missing type in object [0x129586640] marker: [0x129586850], at /builds/slave/m-cen-m64-d-000000000000000000/build/src/js/src/vm/TypeInference.cpp:305

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla46
Tracking Flags:
Tracking Status
firefox46 --- fixed

People

(Reporter: cbook, Assigned: jandem)

References

(
URL
)

Details

(Keywords: assertion)

Attachments

(2 files)

bughunter crash stack
200.17 KB, text/plain
Details
Patch
1.27 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
Attached file bughunter crash stack
found via bughunter Assertion failure: [infer failure] Missing type in object [0x129586640] marker: [0x129586850], at /builds/slave/m-cen-m64-d-000000000000000000/build/src/js/src/vm/TypeInference.cpp:305 Steps to reproduce: Load http://mojtermin.mk/map
jan, i think this is for you
Flags: needinfo?(jdemooij)
TI bugs are usually s-s.
Group: javascript-core-security
Attached patch PatchSplinter Review
Regression from bug 1236546. Before that bug, objects with a null proto had unknown properties. Unboxed object expandos relied on this: the AddSlot ICs guard on the unboxed group and the expando shape, but not on the expando's group. This patch gives expando objects unknown properties to fix this. I was unable to write a shell testcase for this, but I verified it fixes the TI failure.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8706029 - Flags: review?(bhackett1024)
Keywords: sec-high
Comment on attachment 8706029 [details] [diff] [review] Patch Review of attachment 8706029 [details] [diff] [review]: ----------------------------------------------------------------- This is a bogus assert, right? Since expandos aren't directly accessible by scripts, the type information for their properties is reflected in the type information of the unboxed group they are storing properties for.
Attachment #8706029 - Flags: review?(bhackett1024) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/9ee3fb4a1528
Blocks: 1236546
Group: javascript-core-security
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/9ee3fb4a1528
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox46: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: