792183 - Assertion failure: [infer failure] Missing type pushed 0: <0xf6c09040>, at jsinfer.cpp:328

Status: RESOLVED DUPLICATE of bug 788822

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following testcase asserts on mozilla-central revision e4757379b99a (run with --ion-eager):


function TestCase(n, d, e, a) this.path 
new TestCase();
function f(y) {
  ("05", TestCase)();
}
for (var i = 0; i < 1000; ++i) {
  f(i);
}

Comment 1

[Christian Holler (:decoder)]

Could be a dup of bug 788822, but not sure.

Comment 2

[Christian Holler (:decoder)]

JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106741:6cd206b37176
parent:      106740:b63bb39ed1c0
parent:      103644:a0240c1043ee
user:        David Anderson
date:        Wed Aug 29 17:51:24 2012 -0700
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
To check the other ancestors, start from the common ancestor, 88e47f6905e9.

Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now.
We did not test rev a0240c1043ee because it is not a descendant of either 4ceb3e9961e4 or e4757379b99a.
Rev a0240c1043ee: Found cached shell...    Testing... [Uninteresting] It didn't crash. (0.088 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.

Comment 3

[Daniel Veditz [:dveditz]]

jandem: choller guesses this is related to bug 788822. Since you investigated that bug do you agree?

Comment 4

[Jan de Mooij [:jandem]]

(In reply to Daniel Veditz [:dveditz] from comment #3)
> jandem: choller guesses this is related to bug 788822. Since you
> investigated that bug do you agree?

Yes, this is bug 788822.