627 js::ReportStrictModeError(JSContext *cx, TokenStream *ts, JSTreeContext *tc, JSParseNode *pn, 628 uintN errorNumber, ...) 630 JS_ASSERT(ts || tc); 635 if ((tc && tc->flags & TCF_STRICT_MODE_CODE) || (ts && ts->isStrictMode())) 636 flags = JSREPORT_ERROR; 644 bool result = ts->reportCompileErrorNumberVA(pn, flags, errorNumber, ap); The code seems perfectly happy with only a tc in line 630 and line 635, but at line 644 it changed its mind...

Comment on attachment 445082 [details] [diff] [review] patch Seems reasonable. I agree the code is incoherent.

There isn't any way to actually get this to crash, though, is there? It seems like all callers do pass a 'ts'.

Seems like ReportStrictModeError should be js::TokenStream::reportStrictModeError (an instance method). /be

if all callers pass ts, then there's no way to crash. the code as written with no understanding of callers could crash while it's making its second assertion. i stand by my bug summary as it's correct. but i've removed the keyword and adjusted the severity. if someone wants to do more work, i respectfully request they land this and then use their own bug to do further work. they're free to reference the bug number for that additional work here.

I find no current crashes containing js::ReportStrictModeError

AFAICT, this patch is no longer relevant because js::ReportStrictModeError is now a member function js::TokenStream::reportStrictModeError.