The default bug view has changed. See this FAQ.

Assertion failure: !script->createdArgs, at js/src/jsinfer.cpp:1662

RESOLVED FIXED in mozilla11

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla11
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision 1bd7482ad4d1 (options -m -n -a):


function a(a, prototype)  {
  try {
    typeof (arguments[a]) in code
  } catch(e) {}
}
a();
a();


The first bad revision is:
changeset:   77145:b961a248e94d
user:        Brian Hackett
date:        Sat Sep 17 19:31:33 2011 -0700
summary:     [INFER] Reapply f1c585415dd4 7c89b0ff453d 19794de530f1 (bug 686000).
Created attachment 579114 [details] [diff] [review]
patch

When the compiler asked for whether an ARGUMENTS op generates a lazy arguments value, it used the wrong API and did not generate a constraint which would recompile should the arguments get constructed later on.  This could potentially lead to incorrect behavior (directly accessing the original argument slots even if an arguments object has been constructed) but not a crash.
Assignee: general → bhackett1024
Attachment #579114 - Flags: review?(dvander)
Attachment #579114 - Flags: review?(dvander) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/d9ce9c8fc013
https://hg.mozilla.org/mozilla-central/rev/d9ce9c8fc013
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
(Reporter)

Comment 4

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug707641.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.