Patch forthcoming.
Created attachment 203743 [details] the patch I'm going to try to come up with a test case for this...
(In reply to comment #1) > Created an attachment (id=203743) [details] > the patch > > I'm going to try to come up with a test case for this... I tried but failed. This requires a very perverse combination of circumstances to become symptomatic.
Comment on attachment 203743 [details] the patch View in context: https://bugs.webkit.org/attachment.cgi?id=203743&action=review > Source/JavaScriptCore/dfg/DFGAbstractValue.cpp:220 > + if (!(m_type & SpecCell)) { > + ASSERT(m_currentKnownStructure.isClear()); > + ASSERT(m_futurePossibleStructure.isClear()); > + ASSERT(!m_arrayModes); > + } > + > + if (isClear()) > + ASSERT(!m_value); > + > + if (!!m_value) > + ASSERT(mergeSpeculations(m_type, speculationFromValue(m_value)) == m_type); > + > + // Note that it's possible for a prediction like (Final, []). This really means that > + // the value is bottom and that any code that uses the value is unreachable. But > + // we don't want to get pedantic about this as it would only increase the computational > + // complexity of the code. You could consider putting this all in a #if !ASSERT_DISABLED
Landed in http://trac.webkit.org/changeset/151229