Last Comment Bug 673715 - TI+JM: Assertion failure: !script->createdArgs, at jsinfer.cpp:1537
: TI+JM: Assertion failure: !script->createdArgs, at jsinfer.cpp:1537
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: infer-regress
  Show dependency treegraph
 
Reported: 2011-07-23 11:17 PDT by Jan de Mooij [:jandem]
Modified: 2011-07-25 11:28 PDT (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Jan de Mooij [:jandem] 2011-07-23 11:17:18 PDT
--
function g() {
    "use strict";
    for (var i = 0; i < 50; i++)
        arguments[0];
    eval("");
}
function f() {
    g.call(arguments);
}
f();
--
$ ./js -n -m test.js
Assertion failure: !script->createdArgs, at jsinfer.cpp:1537

Revision 4fbb36c1c9a3, 32-bit OS X.
Comment 1 Brian Hackett (:bhackett) 2011-07-25 11:28:33 PDT
Consistency problem with type object flags.  When marking a function as having created its arguments, being uninlineable, having been iterated over, and so forth, we leave the type lazy and just mark bits on the script/object.  If the type object for the function is created later because some analyzed/compiled script depends on it, we fill in the flags from the object's state.  There was a gap, though, where if we had constructed the type object but no constraints depending on its flags, then changes to those flags would never be reflected on the type object.  The fix makes sure that if a JS object with singleton type has had that type instantiated, the type's flags are always in sync with the state of the object.

http://hg.mozilla.org/projects/jaegermonkey/rev/3ccf93107941

Note You need to log in before you can comment on or make changes to this bug.