Last Comment Bug 707641 - Assertion failure: !script->createdArgs, at js/src/jsinfer.cpp:1662
: Assertion failure: !script->createdArgs, at js/src/jsinfer.cpp:1662
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla11
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-12-05 04:58 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:52 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.39 KB, patch)
2011-12-05 10:18 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2011-12-05 04:58:33 PST
The following test asserts on mozilla-central revision 1bd7482ad4d1 (options -m -n -a):

function a(a, prototype)  {
  try {
    typeof (arguments[a]) in code
  } catch(e) {}

The first bad revision is:
changeset:   77145:b961a248e94d
user:        Brian Hackett
date:        Sat Sep 17 19:31:33 2011 -0700
summary:     [INFER] Reapply f1c585415dd4 7c89b0ff453d 19794de530f1 (bug 686000).
Comment 1 User image Brian Hackett (:bhackett) 2011-12-05 10:18:54 PST
Created attachment 579114 [details] [diff] [review]

When the compiler asked for whether an ARGUMENTS op generates a lazy arguments value, it used the wrong API and did not generate a constraint which would recompile should the arguments get constructed later on.  This could potentially lead to incorrect behavior (directly accessing the original argument slots even if an arguments object has been constructed) but not a crash.
Comment 2 User image Brian Hackett (:bhackett) 2011-12-06 14:57:38 PST
Comment 3 User image Ed Morley [:emorley] 2011-12-07 02:32:33 PST
Comment 4 User image Christian Holler (:decoder) 2013-01-14 07:52:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug707641.js.

Note You need to log in before you can comment on or make changes to this bug.