|
10.64 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
Function.prototype.__proto__["p"] = 3
c = [].__proto__
c[5] = 3
Namespace.prototype.__proto__[4] = function() {}
gc()
Function("\
{\
function f(d) {}\
for each(let z in[0]) {\
f(z)\
}\
}\
")()
asserts js debug shell on JM changeset 1210706b4576 with -m, -a and -n at Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>,
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
|
(Reporter) | |
Comment 1•6 years ago
|
||
This may be related:
gc()
Function("\
{\
function g(f){}\
for each(let w in[0,0,0,[]]) {\
g(w)\
}\
}\
")()
Assertion failure: [infer failure] Missing type for arg 0: [0xf6c001c0],
|
(Assignee) | |
Comment 2•6 years ago
|
||
Created attachment 573059 [details] [diff] [review] patch The default 'new' types of certain objects (Object.prototype, Array.prototype, Function.prototype) are required in several places to have unknown property types. This broke with the object newType changes --- the object's new type is no longer a strong reference, and if it goes away and is recreated then the recreated type did not have unknown property types. The fix adds a bit to the flags in the prototype's base shape to indicate whether default 'new' types created off the object need unknown properties. https://hg.mozilla.org/projects/jaegermonkey/rev/493d52c0a104
|
|
(Assignee) | |
Updated•6 years ago
|
||
|
|
||
Comment 7•6 years ago
|
||
Comment on attachment 573059 [details] [diff] [review] patch Review of attachment 573059 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsinfer.cpp @@ +5740,5 @@ > + JSCompartment::NewTypeObjectSet &table = compartment()->newTypeObjects; > + if (table.initialized()) { > + JSCompartment::NewTypeObjectSet::Ptr p = table.lookup(this); > + if (p) > + MarkTypeObjectUnknownProperties(cx, *p); if (JSCompartment::NewTypeObjectSet::Ptr p = ...) ::: js/src/jsobj.h @@ +833,5 @@ > + /* > + * Mark an object as requiring its default 'new' type to have unknown > + * properties. This is set for a few builtins like Object.prototype and > + * Array.prototype; several places in the VM require that the default > + * type for these objects have unknown contents. Could you explain in more detail why some places in the VM requires this? If its a dirty hack, you could point to the dependent sites which should have explanatory comments; if its a general invariant, you could describe it.
|
||
Comment 8•5 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug700501.js.
Description
•