Closed Bug 700464 Opened 13 years ago Closed 13 years ago

[ObjShrink] Crash [@ defaultValue] or [@ JS_ValueToString] or "Assertion failure: [infer failure] Missing type for arg 0: int,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 700501
Milestone:
mozilla10

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Crash Data

o = [].__proto__
h = Array.prototype.__proto__
function g(o) {
    var prop = prop
    try {
        ({
            x: function() {
                return {
                    x: eval("o")
                }.x
            }
        }.x()[prop] = (6))
    } catch (e) {}
}
for (i = 0; i < 2; i++) {
    props = Object.getOwnPropertyNames({
        x: eval("o")
    }.x)
    prop = props.length ? props[props.h] + "p" : "";
    ({
        x: eval("o")
    }.x[prop] = o)
    g(h)
}
gc()
Function("{\
    function f(a) {\
        print(a)\
    }\
    for each(let b in[String]) {\
        f(b)\
    }\
}")()

asserts js debug shell on JM changeset 1210706b4576 with -m, -a and -n at Assertion failure: [infer failure] Missing type for arg 0: int, and crashes js opt shell at defaultValue.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Summary: Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int," → [ObjShrink] Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int,"
I've also seen possibly-related crashes at JS_ValueToString
Summary: [ObjShrink] Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int," → [ObjShrink] Crash [@ defaultValue] or [@ JS_ValueToString] or "Assertion failure: [infer failure] Missing type for arg 0: int,"
Not sure if this is entirely correct:

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   79348:6c7f986274b9
user:        Brian Hackett
date:        Sun Oct 30 08:27:19 2011 -0700
summary:     Fix GC hazard when constructing functions, bug 698156.
Blocks: 698156
Crash Signature: [@ defaultValue] [@ JS_ValueToString]
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Status: NEW → RESOLVED
Closed: 13 years ago
OS: All → Linux
Hardware: All → x86
Resolution: --- → DUPLICATE
Target Milestone: --- → mozilla10
Version: Trunk → Other Branch
A testcase for this bug was already added in the original bug (bug 700501).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.