The following testcase asserts on mozilla-central revision fe7f7ead589c (run with --fuzzing-safe): setJitCompilerOption("ion.usecount.trigger", 50); var proxy = new Boolean({ get: function() {} }, {}); Function.prototype.__proto__ = proxy; function g(x, y) {} function f() { g.apply(this, arguments); } for (var i = 0; i < 1000; ++i) { f(i, i*2); }

also found via bughunter on http://saint-marc.ws/index.php

Just need an extra setFoldedUnchecked call.

Comment on attachment 8355203 [details] [diff] [review] Patch Review of attachment 8355203 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/IonBuilder.cpp @@ +4935,5 @@ > > MArgumentsLength *numArgs = MArgumentsLength::New(alloc()); > current->add(numArgs); > > MApplyArgs *apply = MApplyArgs::New(alloc(), target, argFunc, numArgs, argThis); We are adding a use of argFunc here, The second part of the assertion should be verified in this case. @@ +4971,5 @@ > callInfo.setThis(argThis); > > // Pop function parameter. > MDefinition *argFunc = current->pop(); > + argFunc->setFoldedUnchecked(); Is the function inlined? If it is not, then the MCall should have a use of argFunc and the second part of the assertion should be verified too. Otherwise the issue is likely located in the inlining code.

Loading http://www.theb-hotels.com/the-b-roppongi/en/ yielded: Assertion failure: popped[i]->isImplicitlyUsed() || popped[i]->isNewDerivedTypedObject() || popped[i]->defUseCount() > poppedUses[i], at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/IonBuilder.cpp:1338 which looks like it's the same, although the first piece of the || chain has changed since the bug was filed.

Yeah, bug 953256 changed isFolded to isImplicitlyUsed.

Realized there's another place where we should set the flag. Sorry for the bugspam.