Closed
Bug 847412
Opened 11 years ago
Closed 11 years ago
IonMonkey: Assertion failure: [infer failure] Missing type in object [0x7f23d0f2b820] actual: float, at jsinfer.cpp:315
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox19 | --- | unaffected |
firefox20 | --- | unaffected |
firefox21 | --- | unaffected |
firefox22 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update][adv-main22-])
Attachments
(1 file)
1.42 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision f99a075a5bce (run with --ion-eager): var gTestcases = new Array(); var gTc = gTestcases.length; function TestCase( a) { this.actual = a; gTestcases[gTc++] = this; } function test() { for ( gTc=0; gTc < gTestcases.length; gTc++ ) { gTestcases[gTc].actual.toString() } } function testOverwritingSparseHole() { for (var i = 0; i < 50; i++) new TestCase(eval("VAR1 = 0; VAR2 = -1; VAR1 %= VAR2; VAR1")); } testOverwritingSparseHole(); test(); this.toSource();
Reporter | ||
Comment 1•11 years ago
|
||
S-s due to infer failure.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
Updated•11 years ago
|
Keywords: sec-critical
Updated•11 years ago
|
Comment 2•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122546:0ded3af9b2d7 user: Brian Hackett date: Thu Feb 21 06:56:54 2013 -0700 summary: Bug 743394 - Ion compile JSOP_EVAL, r=jandem. Brian, is bug 743394 a likely regressor? (Setting flags based on this assumption)
Blocks: 743394
status-firefox19:
--- → unaffected
status-firefox20:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Keywords: regressionwindow-wanted → regression
Reporter | ||
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Reporter | ||
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: 122543:5b0002d4b427 user: Brian Hackett date: Thu Feb 21 06:46:46 2013 -0700 summary: Bug 842424 - Add missing newKind, r=terrence. changeset: 122544:985efc588a5e user: Mark Finkle date: Thu Feb 21 08:52:37 2013 -0500 summary: Bug 843361 - Dump list of open files if we fail to unlock the DB r=blassey changeset: 122545:cd16203968a5 user: Brian Hackett date: Thu Feb 21 06:54:16 2013 -0700 summary: Bug 842425 - Watch for arrays that need elements converted to doubles when pushing elements, r=jandem. changeset: 122546:0ded3af9b2d7 user: Brian Hackett date: Thu Feb 21 06:56:54 2013 -0700 summary: Bug 743394 - Ion compile JSOP_EVAL, r=jandem. changeset: 122547:48c067a87ba2 user: Brian Hackett date: Thu Feb 21 07:02:41 2013 -0700 summary: Bug 842424 - Remove assertion. This iteration took 27.244 seconds to run.
Assignee | ||
Comment 6•11 years ago
|
||
In the usual direct eval case from Ion, no type barrier was being added for the result of the eval.
Assignee: general → bhackett1024
Attachment #725764 -
Flags: review?(jdemooij)
Comment 7•11 years ago
|
||
Comment on attachment 725764 [details] [diff] [review] patch Review of attachment 725764 [details] [diff] [review]: ----------------------------------------------------------------- Good catch.
Attachment #725764 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 8•11 years ago
|
||
Comment on attachment 725764 [details] [diff] [review] patch [Security approval request comment] Which older supported branches are affected by this flaw? Nightly.
Attachment #725764 -
Flags: sec-approval?
Comment 9•11 years ago
|
||
Comment on attachment 725764 [details] [diff] [review] patch Nightly-only security patches don't need sec-approval.
Attachment #725764 -
Flags: sec-approval?
Assignee | ||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/91575402209a
Comment 11•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/91575402209a
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Reporter | ||
Comment 12•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•11 years ago
|
status-b2g18:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update][adv-main22-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•