Closed Bug 844977 Opened 12 years ago Closed 12 years ago

IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
Tracking Status
firefox21 --- unaffected
firefox22 --- fixed
firefox23 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main22-])

The following testcase asserts on mozilla-central revision a0a2f97ef16c (run with --ion-eager): function testMethodSet() { for (var i = 0; i < 10; i++) { x = {}; x.o = (eval("var x; (function() { return delete x; })")); } return x.o() + x.k(); } testMethodSet()
S-s due to infer failure.
Blocks: IonFuzz
Summary: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315 → IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f02fbc26778] o: <0x7f02fbc3d640>, at jsinfer.cpp:315
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: 122543:5b0002d4b427 user: Brian Hackett date: Thu Feb 21 06:46:46 2013 -0700 summary: Bug 842424 - Add missing newKind, r=terrence. changeset: 122544:985efc588a5e user: Mark Finkle date: Thu Feb 21 08:52:37 2013 -0500 summary: Bug 843361 - Dump list of open files if we fail to unlock the DB r=blassey changeset: 122545:cd16203968a5 user: Brian Hackett date: Thu Feb 21 06:54:16 2013 -0700 summary: Bug 842425 - Watch for arrays that need elements converted to doubles when pushing elements, r=jandem. changeset: 122546:0ded3af9b2d7 user: Brian Hackett date: Thu Feb 21 06:56:54 2013 -0700 summary: Bug 743394 - Ion compile JSOP_EVAL, r=jandem. changeset: 122547:48c067a87ba2 user: Brian Hackett date: Thu Feb 21 07:02:41 2013 -0700 summary: Bug 842424 - Remove assertion. This iteration took 25.763 seconds to run.
Keywords: sec-high
Needinfo from Brian based on comment 2. If bug 842425 is the regressor, then it's unlikely that it's a security bug, but since the bisect isn't clear, I can't tell.
Flags: needinfo?(bhackett1024)
Could also be a dup of bug 844977 as I just saw.
This should be a dupe of bug 847412.
Flags: needinfo?(bhackett1024)
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 126563fd3ba1).
Bug 847412 just got fixed, verifying with JSBugMon.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 126563fd3ba1). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 125414:91575402209a user: Brian Hackett date: Tue Mar 19 08:47:06 2013 -0600 summary: Bug 847412 - Monitor result type after a direct eval from Ion code, r=jandem. This iteration took 108.480 seconds to run.
JSBugMon confirms that this was also fixed by bug 847412.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Original bug is in-testsuite+, not taking this test.
Flags: in-testsuite? → in-testsuite-
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main22-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.