Last Comment Bug 707641 - Assertion failure: !script->createdArgs, at js/src/jsinfer.cpp:1662
: Assertion failure: !script->createdArgs, at js/src/jsinfer.cpp:1662
Status: RESOLVED FIXED
js-triage-needed
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla11
Assigned To: Brian Hackett (:bhackett)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-12-05 04:58 PST by Christian Holler (:decoder)
Modified: 2013-01-14 07:52 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
patch (1.39 KB, patch)
2011-12-05 10:18 PST, Brian Hackett (:bhackett)
dvander: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-12-05 04:58:33 PST
The following test asserts on mozilla-central revision 1bd7482ad4d1 (options -m -n -a):


function a(a, prototype)  {
  try {
    typeof (arguments[a]) in code
  } catch(e) {}
}
a();
a();


The first bad revision is:
changeset:   77145:b961a248e94d
user:        Brian Hackett
date:        Sat Sep 17 19:31:33 2011 -0700
summary:     [INFER] Reapply f1c585415dd4 7c89b0ff453d 19794de530f1 (bug 686000).
Comment 1 Brian Hackett (:bhackett) 2011-12-05 10:18:54 PST
Created attachment 579114 [details] [diff] [review]
patch

When the compiler asked for whether an ARGUMENTS op generates a lazy arguments value, it used the wrong API and did not generate a constraint which would recompile should the arguments get constructed later on.  This could potentially lead to incorrect behavior (directly accessing the original argument slots even if an arguments object has been constructed) but not a crash.
Comment 2 Brian Hackett (:bhackett) 2011-12-06 14:57:38 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/d9ce9c8fc013
Comment 3 Ed Morley [:emorley] 2011-12-07 02:32:33 PST
https://hg.mozilla.org/mozilla-central/rev/d9ce9c8fc013
Comment 4 Christian Holler (:decoder) 2013-01-14 07:52:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug707641.js.

Note You need to log in before you can comment on or make changes to this bug.