Closed Bug 663690 Opened 9 years ago Closed 9 years ago

TI: "Assertion failure: [infer failure] Missing type pushed 0: string,"

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: assertion, testcase) 

function g(c) {
  b = b = h(c);
}
function j(s) {
  return Function(s)
}
function h(c) {
  return j(c)()
}
g()
var a
Boolean.__proto__[a] = []
g("return gc()")

asserts js debug shell on JM changeset 38f2fbc8490d with -m, -a and -n at Assertion failure: [infer failure] Missing type pushed 0: string,

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Because of the uniquely positioned gc, the testcase took a hideously long time to reduce. :-/
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   63404:38bc7af66c0b
user:        Brian Hackett
date:        Sun Mar 20 09:48:13 2011 -0700
summary:     [INFER] Don't try to fully update the pushed types on uncacheable NAME ops, bug 643113.
Blocks: 643113
OS: Linux → All
Hardware: x86 → All
(In reply to comment #2)
> autoBisect shows this is probably related to the following changeset:
> 
> The first good revision is:
> changeset:   63404:38bc7af66c0b
> user:        Brian Hackett
> date:        Sun Mar 20 09:48:13 2011 -0700
> summary:     [INFER] Don't try to fully update the pushed types on
> uncacheable NAME ops, bug 643113.

Not sure if this is entirely correct or not..
When returning into the interpoline after finishing a scripted call, the interpoline needed to monitor the result of the call.  (Monitoring in the interpoline isn't needed in other places, because there we are returning from a stub call which is responsible for calling monitor() itself).  This is a regression from rev a2dbb9efcf9e, which introduced type barriers at call sites.

http://hg.mozilla.org/projects/jaegermonkey/rev/f59a6cabfbd4
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Duplicate of this bug: 663708
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug663690.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.