Function.prototype.__proto__["p"] = 3 c = [].__proto__ c[5] = 3 Namespace.prototype.__proto__[4] = function() {} gc() Function("\ {\ function f(d) {}\ for each(let z in[0]) {\ f(z)\ }\ }\ ")() asserts js debug shell on JM changeset 1210706b4576 with -m, -a and -n at Assertion failure: [infer failure] Missing type for arg 0: <0xf6b0aaa0>, This was found using a combination of jsfunfuzz and jandem's method fuzzer.
This may be related: gc() Function("\ {\ function g(f){}\ for each(let w in[0,0,0,[]]) {\ g(w)\ }\ }\ ")() Assertion failure: [infer failure] Missing type for arg 0: [0xf6c001c0],
Created attachment 573059 [details] [diff] [review] patch The default 'new' types of certain objects (Object.prototype, Array.prototype, Function.prototype) are required in several places to have unknown property types. This broke with the object newType changes --- the object's new type is no longer a strong reference, and if it goes away and is recreated then the recreated type did not have unknown property types. The fix adds a bit to the flags in the prototype's base shape to indicate whether default 'new' types created off the object need unknown properties. https://hg.mozilla.org/projects/jaegermonkey/rev/493d52c0a104
*** Bug 700471 has been marked as a duplicate of this bug. ***
*** Bug 700480 has been marked as a duplicate of this bug. ***
*** Bug 700464 has been marked as a duplicate of this bug. ***
*** Bug 698944 has been marked as a duplicate of this bug. ***
Comment on attachment 573059 [details] [diff] [review] patch Review of attachment 573059 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsinfer.cpp @@ +5740,5 @@ > + JSCompartment::NewTypeObjectSet &table = compartment()->newTypeObjects; > + if (table.initialized()) { > + JSCompartment::NewTypeObjectSet::Ptr p = table.lookup(this); > + if (p) > + MarkTypeObjectUnknownProperties(cx, *p); if (JSCompartment::NewTypeObjectSet::Ptr p = ...) ::: js/src/jsobj.h @@ +833,5 @@ > + /* > + * Mark an object as requiring its default 'new' type to have unknown > + * properties. This is set for a few builtins like Object.prototype and > + * Array.prototype; several places in the VM require that the default > + * type for these objects have unknown contents. Could you explain in more detail why some places in the VM requires this? If its a dirty hack, you could point to the dependent sites which should have explanatory comments; if its a general invariant, you could describe it.
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug700501.js.
or
