Closed
Bug 719750
Opened 13 years ago
Closed 12 years ago
Assertion failure: [infer failure] Missing type pushed 0: int with destructuring assignment
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [sg:critical][advisory-tracking+])
The following test asserts on mozilla-central revision e5e66f40c35b (options -n -m -a):
function f( ) {
var [ [x], e ] = ["*", "/", "%"];
function h() {
for (var i = 0; i < 5; ++i) {
x = i * 2;
}
}
h();
assertEq(x, 8);
}
f();
This bug strongly reminds me of bug 685321 which also had a destructuring assignment. S-s due to infer failure.
|
||
Comment 1•13 years ago
|
||
Yeah, this looks almost identical to bug 685321. The 'x' in f() is not marked as closed yet is overwritten within h().
|
||
Comment 2•13 years ago
|
||
I would expect bug 685321 to take care of this. I just tested m-i rev 374975f24277 and it WFM.
|
Reporter | |
Comment 3•13 years ago
|
||
(In reply to David Mandelin from comment #2)
> I would expect bug 685321 to take care of this. I just tested m-i rev
> 374975f24277 and it WFM.
I thought bug 685321 was already fixed? I just re-tested this on m-i tip (0a116f325333) and still get the crash.
|
|
||
Comment 4•13 years ago
|
||
Yeah, either this is a different underlying problem from bug 685321 (though the problem is still during parsing/emitting) or the bug 685321 fix was not complete.
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
|
|
||
Updated•13 years ago
|
status-firefox12:
--- → affected
tracking-firefox10:
--- → -
tracking-firefox12:
--- → +
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [needs testing on Fx10 and Fx11]
|
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
status-firefox13:
--- → affected
tracking-firefox13:
--- → +
|
|
||
Updated•13 years ago
|
status1.9.2:
--- → unaffected
status-firefox-esr10:
--- → affected
status-firefox10:
--- → affected
status-firefox11:
--- → affected
tracking-firefox-esr10:
--- → ?
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] [needs testing on Fx10 and Fx11] → [sg:critical]
|
|
||
Updated•13 years ago
|
tracking-firefox-esr10:
? → ---
|
||
Comment 5•13 years ago
|
||
Not going to push for this for 11.
|
|
||
Comment 6•13 years ago
|
||
This depends on bug 708892, which is too complicated to fix in time for 12.
|
||
Updated•13 years ago
|
status-firefox14:
--- → affected
tracking-firefox14:
--- → +
|
|
||
Updated•13 years ago
|
|
|
||
Comment 7•13 years ago
|
||
(In reply to David Mandelin from comment #6)
> This depends on bug 708892, which is too complicated to fix in time for 12.
How will we get all the depends-on bugs backported to ESR once this does get fixed?
status-firefox15:
--- → affected
tracking-firefox15:
--- → +
|
|
||
Comment 8•13 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #7)
> (In reply to David Mandelin from comment #6)
> > This depends on bug 708892, which is too complicated to fix in time for 12.
>
> How will we get all the depends-on bugs backported to ESR once this does get
> fixed?
Hmmm, not sure. Getting it fixed at is apparently difficult enough, so I'll worry about ESR once we get there.
|
||
Updated•13 years ago
|
Keywords: sec-critical
|
|
||
Comment 9•12 years ago
|
||
This WFM on trunk. I bet Luke's scope chain work fixed it. That was a huge chain of work and basically a new feature so backport is not realistic. Is there anything to do other than close WFM and mark branches wontfix?
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 10•12 years ago
|
||
Luke, could you please add this to the testsuite as well?
Flags: in-testsuite?
|
|
Reporter | |
Comment 11•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #10)
> Luke, could you please add this to the testsuite as well?
As far as I know, this affects ESR and I don't know if it was fixed because the original fix cannot be backported. If this is not fixed on ESR then adding the test now will make it much easier to detect this.
|
|
||
Comment 12•12 years ago
|
||
Test landed on mozilla-inbound:
http://hg.mozilla.org/integration/mozilla-inbound/rev/bb2a5759abb4
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 13•12 years ago
|
||
> http://hg.mozilla.org/integration/mozilla-inbound/rev/bb2a5759abb4
http://hg.mozilla.org/integration/mozilla-inbound/rev/efb3a00b3aad removes the extraneous print statement I added.
|
|
||
Comment 14•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/bb2a5759abb4
http://hg.mozilla.org/mozilla-central/rev/efb3a00b3aad
Test landed, so marking VERIFIED.
Status: RESOLVED → VERIFIED
|
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
Whiteboard: [sg:critical] → [sg:critical][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•