Closed Bug 660597 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: !JSID_IS_VOID(id), at jsscope.cpp:807

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, testcase)

The following testcase asserts on TI revision 68620d37fb23 (run with -j -m -n -a), tested on 64 bit: function foo() { with(foo) this["00"]=function(){} } new foo;
Summary: TI: Assertion failure: \!JSID_IS_VOID(id), at jsscope.cpp:807 → TI: Assertion failure: !JSID_IS_VOID(id), at jsscope.cpp:807
Since type inference aggregates all integer properties into a single type set with the JSID_VOID id, we can't express information about whether a type object definitely has a particular integer property (not interested in this, either). When analyzing definite properties from calling 'new' on a script, we would try to detect integer properties being added to the object and bail out from the analysis. We did this detection incorrectly (tested 'id == MakeTypeId(id)' when id was already the result of calling MakeTypeId), so that these properties would never be filtered out. http://hg.mozilla.org/projects/jaegermonkey/rev/d6857a2609d5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug660597.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.