Closed Bug 700464 Opened 13 years ago Closed 13 years ago

[ObjShrink] Crash [@ defaultValue] or [@ JS_ValueToString] or "Assertion failure: [infer failure] Missing type for arg 0: int,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 700501
Milestone:
mozilla10

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

Crash Data

o = [].__proto__ h = Array.prototype.__proto__ function g(o) { var prop = prop try { ({ x: function() { return { x: eval("o") }.x } }.x()[prop] = (6)) } catch (e) {} } for (i = 0; i < 2; i++) { props = Object.getOwnPropertyNames({ x: eval("o") }.x) prop = props.length ? props[props.h] + "p" : ""; ({ x: eval("o") }.x[prop] = o) g(h) } gc() Function("{\ function f(a) {\ print(a)\ }\ for each(let b in[String]) {\ f(b)\ }\ }")() asserts js debug shell on JM changeset 1210706b4576 with -m, -a and -n at Assertion failure: [infer failure] Missing type for arg 0: int, and crashes js opt shell at defaultValue. This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Summary: Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int," → [ObjShrink] Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int,"
I've also seen possibly-related crashes at JS_ValueToString
Summary: [ObjShrink] Crash [@ defaultValue] or "Assertion failure: [infer failure] Missing type for arg 0: int," → [ObjShrink] Crash [@ defaultValue] or [@ JS_ValueToString] or "Assertion failure: [infer failure] Missing type for arg 0: int,"
Not sure if this is entirely correct: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 79348:6c7f986274b9 user: Brian Hackett date: Sun Oct 30 08:27:19 2011 -0700 summary: Fix GC hazard when constructing functions, bug 698156.
Blocks: 698156
Crash Signature: [@ defaultValue] [@ JS_ValueToString]
Keywords: regression
OS: Linux → All
Hardware: x86 → All
Status: NEW → RESOLVED
Closed: 13 years ago
OS: All → Linux
Hardware: All → x86
Resolution: --- → DUPLICATE
Target Milestone: --- → mozilla10
Version: Trunk → Other Branch
A testcase for this bug was already added in the original bug (bug 700501).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.