698944 - "Assertion failure: [infer failure] Missing type in object [0x1019004c0] (index): int,"

Status: RESOLVED DUPLICATE of bug 700501

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

o = __proto__
arguments.__proto__ = null
gc()
function f() {
    Object.keys(o)[2]
}
f()
Function("for each(w in[0]){w}")()

asserts js debug shell on JM changeset f951e9151626 with -m, -a and -n at Assertion failure: [infer failure] Missing type in object [0x1019004c0] (index): int,

Changing "0" to "true" in the last line results in:

Assertion failure: [infer failure] Missing type in object [0x101900140] (index): bool,

just like this testcase:

try {
    r
} catch (e) {}
function f(o) {
    o.__proto__ = null
}
f(arguments)
gc()
function g() {
    props = Object.getOwnPropertyNames([])
    props[1]
}
g()
Function("for each(z in[true]){s}")()


Locking s-s because these failures tend to be bad. Assuming sg:critical unless otherwise shown.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

Related to bug 685321 ?

Comment 1

[Johnny Stenback (:jst)]

Since this is TI related I'm marking 8 and earlier unaffected, if that's not the case please say so.

Comment 2

[Brian Hackett [Laid off!]]

This does not affect either Firefox 9 or 10; it is a bug that is currently only on the JaegerMonkey branch, which is being used for object shrinking rather than TI (Gary and Christian, you shouldn't put TI: in bugs filed against the JM branch).