Closed Bug 709633 Opened 8 years ago Closed 8 years ago

Assertion failure: [infer failure] Missing type pushed 0: float, at jsinfer.cpp:348

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 692274

People

(Reporter: decoder, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-needed)

The following test asserts on mozilla-central revision 63bff373cb94 (options -m -n -a):


test();
function test() {
  var f;
  f = function() { (let(x) {y: z}) }
    let (f = function() {
        for (var t=0;t<6;++t) ++f;
    }) { f(); } //  {  }       
  actual = f + '';
}


Filing S-s because previous infer failures turned out to be security relevant.
This WFM on eb5d4c08a542 on Win 7 with a 32-bit build.
(In reply to David Mandelin from comment #1)
> This WFM on eb5d4c08a542 on Win 7 with a 32-bit build.

Cannot confirm. Still aborts for me on eb5d4c08a542 on Linux, 64 bit build.
I can repro on OS X x86 f5578fdc50ef.  I don't think this one is architecture dependent.

The '++f' in an inner function overwrites the 'var f' in the outermost function, even though that 'var f' is not marked as closed.  Tentatively marking as depending on bug 692274 which reworks handling of these let blocks.  Luke, can you test that patch on this testcase?
Luke, can you look at the above comment?  (I wish bugzilla didn't throw away CC: and dependency changes when posting so easily)
Depends on: 692274
Yep, bug 692274 fixes the assert.  I'll add the testcase in comment 0 to that patch and dup this bug.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 692274
No longer depends on: 692274
Group: core-security
You need to log in before you can comment on or make changes to this bug.