Closed Bug 1113980 Opened 10 years ago Closed 10 years ago

crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)

Categories

(Core :: JavaScript Engine, defect)

37 Branch
x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox37 + fixed

People

(Reporter: alice0775, Unassigned)

References

()

Details

(Keywords: crash, topcrash)

Crash Data

Attachments

(1 file)

This bug was filed from the Socorro interface and is report bp-956ca8b6-2208-49d3-81cb-19b882141220. ============================================================= Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=6f1696df360b&tochange=7837628feeca
[Tracking Requested - why for this release]:
tracking-e10s: ? → ---
Summary: [e10s] crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>) → crash in js::ScriptedIndirectProxyHandler::defineProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JSPropertyDescriptor>)
In local build Last Good: 38c02eda337d First Bad: 6a71021584ff
Flags: needinfo?(jorendorff)
Test case: var p = Proxy.create({ getOwnPropertyDescriptor: function() { return {value: 1, configurable: true, writable: true}; } }, null); var o = Object.create(p); o.a = 1;
Oh also interesting that apparently this is a version of Caja using the old proxies.
Tested that URL with e10s disabled, browser crashed and session restore failed - one time reopened to a blank browser, other times with "Trouble restoring..." message. With e10s enabled, just the one tab crashed.
Blocks: 1112585
Keywords: topcrash
Attached patch set-propertySplinter Review
Attachment #8540994 - Flags: review?(jwalden+bmo)
Comment on attachment 8540994 [details] [diff] [review] set-property Review of attachment 8540994 [details] [diff] [review]: ----------------------------------------------------------------- Dunno if the exact semantics implemented here are correct, but this clearly removes the type error of passing an arbitrary receiver into a proxy handler trap where the proxy object was expected. So let's do this. Correct semantics should eventually fall out of jorendorff's ongoing refactoring of all this junk.
Attachment #8540994 - Flags: review?(jwalden+bmo) → review+
Keywords: leave-open
This landed on m-c at the beginning of Jan. As this bug is tracked for 37, does it need to remain open? Has this issue been addressed?
Assignee: nobody → administration
Flags: needinfo?(evilpies)
This is waiting on Jason to answer his needinfo request.
Flags: needinfo?(evilpies)
Thanks for leaving it open. I'm worried about this and need to confer with bz.
Flags: needinfo?(jorendorff)
Talked with bz. Tom's fix is the right thing. I've filed follow-up bug 1130537 to fix some underlying weirdness, and hope to get a patch in quickly...
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: