Assertion failure: [infer failure] Missing type in object [0x7fc592604680] (index): int, at jsinfer.cpp:341

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-jaegermonkey)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following testcase asserts on mozilla-central revision fcca99426576 (run with -m -n -a), tested on 64 bit:


function printStatus (msg) {}
F = function () {};
F.prototype = new Int32Array(1);
o = new F();
function f2(o){ 
	with(this) 
	for(var x in o) 
	printStatus(o[x]); 
}
f2([]);
(Reporter)

Comment 1

6 years ago
One more question to this test: I remember that at some point, infer failures were critical, as in, we cannot continue, therefore we abort (either through assertion or controlled crash, which we changed a while ago). This test doesn't do anything for optimized builds, is that intended behavior?
The [infer failure] generally reflects that the core TI invariant, that the known types reflect the state of the world, is violated.  It does not mean we will crash later, but if we *do* crash it will probably be hard to track down the underlying cause.
Created attachment 558013 [details] [diff] [review]
patch

Bogus assert.  Property type sets are not correct for objects with a class getter op, but we would still assert correctness for accesses on native objects which inherit properties from such objects.

Most of this patch is fixing Diassemble so that it can be called while iterating over scripts (and which I noticed while investigating this).  This broke after the recent CellIter changes in the GC (though I think that CellIter was correct to break this, as Disassemble shouldn't be allocating GC things while traversing arenas).
Attachment #558013 - Flags: review?(wmccloskey)
Duplicate of this bug: 684474
http://hg.mozilla.org/projects/jaegermonkey/rev/53e25966f155
Whiteboard: fixed-in-jaegermonkey
http://hg.mozilla.org/mozilla-central/rev/53e25966f155
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Comment on attachment 558013 [details] [diff] [review]
patch

I guess this landed already.

It would be nice if there were a better way to do this, but I can't think of any.
Attachment #558013 - Flags: review?(wmccloskey) → review+
(Reporter)

Comment 8

5 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.