Closed Bug 673715 Opened 13 years ago Closed 13 years ago

TI+JM: Assertion failure: !script->createdArgs, at jsinfer.cpp:1537

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jandem, Unassigned)

References

Details

--
function g() {
    "use strict";
    for (var i = 0; i < 50; i++)
        arguments[0];
    eval("");
}
function f() {
    g.call(arguments);
}
f();
--
$ ./js -n -m test.js
Assertion failure: !script->createdArgs, at jsinfer.cpp:1537

Revision 4fbb36c1c9a3, 32-bit OS X.
Consistency problem with type object flags.  When marking a function as having created its arguments, being uninlineable, having been iterated over, and so forth, we leave the type lazy and just mark bits on the script/object.  If the type object for the function is created later because some analyzed/compiled script depends on it, we fill in the flags from the object's state.  There was a gap, though, where if we had constructed the type object but no constraints depending on its flags, then changes to those flags would never be reflected on the type object.  The fix makes sure that if a JS object with singleton type has had that type instantiated, the type's flags are always in sync with the state of the object.

http://hg.mozilla.org/projects/jaegermonkey/rev/3ccf93107941
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.