Assertion failure: [infer failure] Missing type pushed 0: <0xf6c09040>, at jsinfer.cpp:328

RESOLVED DUPLICATE of bug 788822

Status

()

Product:
Core
Component:
JavaScript Engine
Importance:
--
critical
Status:
RESOLVED DUPLICATE of bug 788822
Reported:
6 years ago
Modified:
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Version:
Trunk
Platform:
x86
Linux
Keywords:
assertion, regression, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update][sg:dupe 788822])

(Reporter)

Description

6 years ago 
The following testcase asserts on mozilla-central revision e4757379b99a (run with --ion-eager):


function TestCase(n, d, e, a) this.path 
new TestCase();
function f(y) {
  ("05", TestCase)();
}
for (var i = 0; i < 1000; ++i) {
  f(i);
}
(Reporter)

Comment 1

6 years ago 
Could be a dup of bug 788822, but not sure.
Whiteboard: [jsbugmon:update,bisect]
 (Reporter)

Updated

6 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
 (Reporter)

Comment 2

6 years ago 
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   106741:6cd206b37176
parent:      106740:b63bb39ed1c0
parent:      103644:a0240c1043ee
user:        David Anderson
date:        Wed Aug 29 17:51:24 2012 -0700
summary:     Merge from mozilla-central.

Not all ancestors of this changeset have been checked.
To check the other ancestors, start from the common ancestor, 88e47f6905e9.

Oops! We didn't test rev a0240c1043ee, a parent of the blamed revision! Let's do that now.
We did not test rev a0240c1043ee because it is not a descendant of either 4ceb3e9961e4 or e4757379b99a.
Rev a0240c1043ee: Found cached shell...    Testing... [Uninteresting] It didn't crash. (0.088 seconds)
good (not interesting) 
As expected, the parent's label is the opposite of the blamed rev's label.
Keywords: sec-critical
Keywords: regression

Comment 3

6 years ago 
jandem: choller guesses this is related to bug 788822. Since you investigated that bug do you agree?

Comment 4

6 years ago 
(In reply to Daniel Veditz [:dveditz] from comment #3)
> jandem: choller guesses this is related to bug 788822. Since you
> investigated that bug do you agree?

Yes, this is bug 788822.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 788822
Whiteboard: [jsbugmon:update] → [jsbugmon:update][sg:dupe 788822]
Group: core-security
You need to log in before you can comment on or make changes to this bug.