TI+JM: Assertion failure: !script->createdArgs, at jsinfer.cpp:1537

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jandem, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
--
function g() {
    "use strict";
    for (var i = 0; i < 50; i++)
        arguments[0];
    eval("");
}
function f() {
    g.call(arguments);
}
f();
--
$ ./js -n -m test.js
Assertion failure: !script->createdArgs, at jsinfer.cpp:1537

Revision 4fbb36c1c9a3, 32-bit OS X.
Consistency problem with type object flags.  When marking a function as having created its arguments, being uninlineable, having been iterated over, and so forth, we leave the type lazy and just mark bits on the script/object.  If the type object for the function is created later because some analyzed/compiled script depends on it, we fill in the flags from the object's state.  There was a gap, though, where if we had constructed the type object but no constraints depending on its flags, then changes to those flags would never be reflected on the type object.  The fix makes sure that if a JS object with singleton type has had that type instantiated, the type's flags are always in sync with the state of the object.

http://hg.mozilla.org/projects/jaegermonkey/rev/3ccf93107941
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.