Closed
Bug 1113980
Opened 10 years ago
Closed 10 years ago
crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: alice0775, Unassigned)
References
()
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
1.58 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
This bug was filed from the Socorro interface and is
report bp-956ca8b6-2208-49d3-81cb-19b882141220.
=============================================================
Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f1696df360b&tochange=7837628feeca
Reporter | ||
Comment 1•10 years ago
|
||
[Tracking Requested - why for this release]:
status-firefox37:
--- → affected
tracking-e10s:
? → ---
tracking-firefox37:
--- → ?
Summary: [e10s] crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) → crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)
Reporter | ||
Comment 2•10 years ago
|
||
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Comment 3•10 years ago
|
||
In local build
Last Good: 38c02eda337d
First Bad: 6a71021584ff
Flags: needinfo?(jorendorff)
Test case:
var p = Proxy.create({
getOwnPropertyDescriptor: function() {
return {value: 1, configurable: true, writable: true};
}
}, null);
var o = Object.create(p);
o.a = 1;
Oh also interesting that apparently this is a version of Caja using the old proxies.
Comment 6•10 years ago
|
||
Tested that URL with e10s disabled, browser crashed and session restore failed - one time reopened to a blank browser, other times with "Trouble restoring..." message. With e10s enabled, just the one tab crashed.
Attachment #8540994 -
Flags: review?(jwalden+bmo)
Updated•10 years ago
|
Comment 8•10 years ago
|
||
Comment on attachment 8540994 [details] [diff] [review]
set-property
Review of attachment 8540994 [details] [diff] [review]:
-----------------------------------------------------------------
Dunno if the exact semantics implemented here are correct, but this clearly removes the type error of passing an arbitrary receiver into a proxy handler trap where the proxy object was expected. So let's do this. Correct semantics should eventually fall out of jorendorff's ongoing refactoring of all this junk.
Attachment #8540994 -
Flags: review?(jwalden+bmo) → review+
Thanks. I agree this is probably better, but Jason should still take a look at this.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=6767f9dce400
https://hg.mozilla.org/integration/mozilla-inbound/rev/7fbd629599de
Keywords: leave-open
Comment 10•10 years ago
|
||
Comment 11•10 years ago
|
||
This landed on m-c at the beginning of Jan. As this bug is tracked for 37, does it need to remain open? Has this issue been addressed?
Assignee: nobody → administration
Flags: needinfo?(evilpies)
Comment 12•10 years ago
|
||
This is waiting on Jason to answer his needinfo request.
Flags: needinfo?(evilpies)
Comment 13•10 years ago
|
||
Thanks for leaving it open. I'm worried about this and need to confer with bz.
Flags: needinfo?(jorendorff)
Comment 14•10 years ago
|
||
Talked with bz. Tom's fix is the right thing.
I've filed follow-up bug 1130537 to fix some underlying weirdness, and hope to get a patch in quickly...
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Comment 15•7 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in
before you can comment on or make changes to this bug.
Description
•