Closed
Bug 844977
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | --- | fixed |
firefox23 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main22-])
The following testcase asserts on mozilla-central revision a0a2f97ef16c (run with --ion-eager):
function testMethodSet() {
for (var i = 0; i < 10; i++) {
x = {};
x.o = (eval("var x; (function() { return delete x; })"));
}
return x.o() + x.k();
}
testMethodSet()
Reporter | ||
Comment 1•12 years ago
|
||
S-s due to infer failure.
Blocks: IonFuzz
Summary: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315 → IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315
Whiteboard: [jsbugmon:update,bisect]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 2•12 years ago
|
||
JSBugMon: Bisection requested, result:
Due to skipped revisions, the first bad revision could be any of:
changeset: 122543:5b0002d4b427
user: Brian Hackett
date: Thu Feb 21 06:46:46 2013 -0700
summary: Bug 842424 - Add missing newKind, r=terrence.
changeset: 122544:985efc588a5e
user: Mark Finkle
date: Thu Feb 21 08:52:37 2013 -0500
summary: Bug 843361 - Dump list of open files if we fail to unlock the DB r=blassey
changeset: 122545:cd16203968a5
user: Brian Hackett
date: Thu Feb 21 06:54:16 2013 -0700
summary: Bug 842425 - Watch for arrays that need elements converted to doubles when pushing elements, r=jandem.
changeset: 122546:0ded3af9b2d7
user: Brian Hackett
date: Thu Feb 21 06:56:54 2013 -0700
summary: Bug 743394 - Ion compile JSOP_EVAL, r=jandem.
changeset: 122547:48c067a87ba2
user: Brian Hackett
date: Thu Feb 21 07:02:41 2013 -0700
summary: Bug 842424 - Remove assertion.
This iteration took 25.763 seconds to run.
Reporter | ||
Comment 3•12 years ago
|
||
Needinfo from Brian based on comment 2. If bug 842425 is the regressor, then it's unlikely that it's a security bug, but since the bisect isn't clear, I can't tell.
Flags: needinfo?(bhackett1024)
Reporter | ||
Comment 4•12 years ago
|
||
Could also be a dup of bug 844977 as I just saw.
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Reporter | ||
Comment 6•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 126563fd3ba1).
![]() |
||
Comment 7•12 years ago
|
||
Bug 847412 just got fixed, verifying with JSBugMon.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Reporter | ||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
Reporter | ||
Comment 8•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 126563fd3ba1).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 125414:91575402209a
user: Brian Hackett
date: Tue Mar 19 08:47:06 2013 -0600
summary: Bug 847412 - Monitor result type after a direct eval from Ion code, r=jandem.
This iteration took 108.480 seconds to run.
![]() |
||
Comment 9•12 years ago
|
||
JSBugMon confirms that this was also fixed by bug 847412.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Reporter | ||
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Comment 11•12 years ago
|
||
Original bug is in-testsuite+, not taking this test.
Flags: in-testsuite? → in-testsuite-
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox22:
--- → fixed
status-firefox23:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Depends on: 847412
Updated•12 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•