Error.prototype.__proto__.p = 5; f = Function("return( \"\" <arguments for(w in[]))"); for (i in f()) {} crashes js opt shell on JM changeset 56eeb8e6d7c2 with -n at js::DefaultValue and asserts js debug shell at Assertion failure: v.isObject(), autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 70194:81997070017e user: Brian Hackett date: Thu May 26 12:28:19 2011 -0700 summary: [INFER] Optimize arguments accesses, bug 658638.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.

The script here contains JSOP_ARGUMENTS but it does not have the usesArguments flag set. I think this is a bug in TM, but I'm not sure. Should the script->usesArguments flag be synonymous with 'script contains JSOP_ARGUMENTS' ? This was my reading of its comment. CC'ing dvander.

Reminder note to double check the bug 660562 testcase when this gets resolved.

Fix. We recorded the usesArguments on the function's TreeContext, and then made a new script to handle the array comprehension. generatorExpr tried to propagate the deoptimization flags from the outer script into the comprehension script, but this was actually a no-op because it did this on the inner tc rather than the outer tc (here, tc == &gentc). This is purely a TM issue, but I'd like to land this fix directly on JM and not TM, since this mainly affects JM and JM will be merging to TM very soon anyways. It does need to get reviewed though, since this is outside the inference code and not under the purview of bug 657412.

Comment on attachment 537913 [details] [diff] [review] patch Review of attachment 537913 [details] [diff] [review]: -----------------------------------------------------------------

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug660538.js.