Closed Bug 617558 Opened 13 years ago Closed 13 years ago

TypeInference: Assertion failure: !object->isDenseArray

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: bhackett1024)

References

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 file)

fix
3.90 KB, patch
Details | Diff | Splinter Review 
./js -m
js> [].__proto__.foo = true; eval("[]");
Assertion failure: !object->isDenseArray, at ../jsinfer.cpp:2107
Attached patch fixSplinter Review 
This is a bug in the inference itself.  Type objects can get marked as having all properties unknown when they've had dynamic string property assignments through SETELEM, had __proto__ assigned to or have a prototype with unknown properties.  This shouldn't happen for type objects representing dense and/or packed arrays, but could if Array.prototype itself was marked with unknown properties.  This also fixes things so that assignments in the interpreter don't poison updated type objects with unknown properties (oops).

http://hg.mozilla.org/projects/jaegermonkey/rev/0b73d74d343d
Assignee: general → bhackett1024
Whiteboard: fixed-in-jaegermonkey
Blocks: infer-regress
No longer blocks: TypeInference
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.