Closed Bug 793513 Opened 12 years ago Closed 12 years ago

Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla18
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: Benjamin)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update][adv-main18-])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision e4757379b99a (run with --ion-eager):


gczeal(2);
function bottomUpTree(item,depth){
      return new(function  ( left = toString(2.3)   , ... depth    )  { 
		depth[bottomUpTree] = null;
      })(null,null,item);
}
for ( var n = 4; n <= 7; n += 1 ) {
    var minDepth = 4;
    var maxDepth = Math.max(minDepth + 2, n);
    var longLivedTree = bottomUpTree(0,maxDepth);
}
This doesn't crash but it contains gczeal so assuming it's GC related and therefore s-s.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update]
I'm not sure who's reviewing TI while bhackett is gone. Dave, feel free to punt.
Attachment #663842 - Flags: review?(dvander)
No longer blocks: IonFuzz
Summary: IonMonkey: Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440 → Assertion failure: !unknownProperties(), at ../jsinferinlines.h:1440
Comment on attachment 663842 [details] [diff] [review]
only try to set properties if there are no unknown ones

Thanks for the patch, Benjamin! I'm sending this over to Jan since he has a better idea of jsinfer guts.
Attachment #663842 - Flags: review?(dvander) → review?(jdemooij)
Comment on attachment 663842 [details] [diff] [review]
only try to set properties if there are no unknown ones

Review of attachment 663842 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM, thanks!
Attachment #663842 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/06a996a45063
Assignee: general → benjamin
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
The being patched does not seem to exist on the esr10 branch; don't know about Firefox 17 or 16
I believe this is specific to Ion/TI interactions.
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main18-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: