Closed Bug 643249 Opened 13 years ago Closed 13 years ago

TI: "Assertion failure: !unknownProperties,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey) 

{
    function x() {}
}
for (i = 0; i < 10; i++) {
    _someglobal_ = /a/;
    (function() {
        return function() {
            return _someglobal_
        } ()
    } () == /a/);
    gc();
    _someglobal_ = new Function.__lookupSetter__;
}

asserts js debug shell on JM changeset 5ce2f7a90286 with -m, -a and -n
at Assertion failure: !unknownProperties

Pass this in as a CLI argument to reproduce.

Top 9 frames of the debug stack:

#0  0x001f7ff7 in JS_Assert (s=0x364997 "!unknownProperties", file=0x363518 "/Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/jsinferinlines.h", ln=1134) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/jsutil.cpp:80
#1  0x00043f9b in js::types::TypeObject::getProperty (this=0x80c700, cx=0x80ae60, id={asBits = 2}, assign=false) at jsinferinlines.h:1134
#2  0x000e96ac in js::types::TypeConstraintFreezeObjectKindSet::newType (this=0x10b0f50, cx=0x80ae60, source=0x10b0ad8, type=8439552) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/jsinfer.cpp:1472
#3  0x000e8c13 in js::types::TypeCompartment::resolvePending (this=0x1071884, cx=0x80ae60) at jsinferinlines.h:787
#4  0x000e917e in js::types::TypeSet::add (this=0x814ba4, cx=0x80ae60, constraint=0x10af160, callExisting=true) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/jsinfer.cpp:433
#5  0x000d90b8 in js::types::TypeSet::pushAllTypes (this=0x814ba4, cx=0x80ae60, script=0x8165f0, pc=0x81667c ";") at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/jsinfer.cpp:1249
#6  0x00332e79 in ScopeNameCompiler::updateTypes (this=0xbffff300) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/methodjit/PolyIC.cpp:1554
#7  0x00322979 in js::mjit::ic::Name (f=@0xbffff360, pic=0x816d98) at /Users/fuzz2/Desktop/jsfunfuzz-dbg-32-jm-63932-5ce2f7a90286/compilePath/methodjit/PolyIC.cpp:2022
#8  0x0071ea9d in ?? ()
We were constructing some unnecessary type constraints when determining the characteristics of possible objects in a type set.

http://hg.mozilla.org/projects/jaegermonkey/rev/507c4273633a
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-jaegermonkey
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug643249.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.