Closed
Bug 112974
Opened 24 years ago
Closed 23 years ago
inheriting proto's map does not take into account JSCLASS_HAS_PRIVATE
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.0.2
People
(Reporter: jband_mozilla, Assigned: brendan)
References
Details
(Keywords: js1.5)
Attachments
(2 files)
|
1.46 KB,
text/plain
|
Details | |
|
802 bytes,
patch
|
rogerl
:
review+
jband_mozilla
:
superreview+
|
Details | Diff | Splinter Review |
This is from the newsgroup.
news://news.mozilla.org:119/3C05ABA3.2F69447F@emsoftltd.com
I confirmed this. I'll attach a sample C file (can be put in place of js.c to
build easily). The problem does not show up if JS_InitStandardClasses is called
on the global before it is used as the proto because its slot count is changed
quite a bit from its initial state. But when using the global resolve hook stuff
the global is left in its initial state and the map is not sufficient for later
expectations as used in the second object. This same problem would occur if some
other plain JS object were used as the proto.
I'm going to wimp out and not propose a fix at this point.
|
Reporter | |
Comment 1•24 years ago
|
||
|
|
Reporter | |
Updated•24 years ago
|
Summary: inheriting proto's map does take into account JSCLASS_HAS_PRIVATE → inheriting proto's map does not take into account JSCLASS_HAS_PRIVATE
|
Assignee | |
Comment 3•24 years ago
|
||
I'll help in 0.9.9.
/be
|
||
Updated•24 years ago
|
Target Milestone: mozilla0.9.9 → mozilla1.0.1
|
|
Assignee | |
Comment 5•23 years ago
|
||
This is something I really should considef for mozilla1.0/js1.5.
/be
Assignee: khanson → brendan
Status: ASSIGNED → NEW
|
|
Assignee | |
Updated•23 years ago
|
Keywords: js1.5,
mozilla1.0
Target Milestone: mozilla1.0.1 → mozilla1.0
|
|
Assignee | |
Updated•23 years ago
|
Status: NEW → ASSIGNED
Keywords: mozilla1.0 → mozilla1.0.1
Target Milestone: mozilla1.0 → mozilla1.0.1
|
||
Comment 6•23 years ago
|
||
do we still want to go for this in 1.0.1?
|
|
Assignee | |
Comment 7•23 years ago
|
||
Moving out a bit. The js1.5 release (after an rc5 release candidate) should
come off off the 1.0 branch on or before 1.0.2 freezing, I say. The trunk and
branch should be in sync for js/src/js*.[chmt]* and build files.
/be
Keywords: mozilla1.0.1 → mozilla1.2
Target Milestone: mozilla1.0.1 → mozilla1.0.2
|
|
Assignee | |
Comment 8•23 years ago
|
||
Don't share the prototype's map if the new object's class and the prototype's
class do not have the same slot-allocating flag bits (JSCLASS_HAS_PRIVATE and
the reserved slots field).
This fixes jband's reduced testcase, and makes sense. Looking for r= and sr=
pretty soon. Thanks,
/be
|
||
Comment 9•23 years ago
|
||
Comment on attachment 93330 [details] [diff] [review]
proposed fix
r=rogerl
Attachment #93330 -
Flags: review+
|
|
Reporter | |
Updated•23 years ago
|
Attachment #93330 -
Flags: superreview+
|
|
Reporter | |
Comment 10•23 years ago
|
||
Comment on attachment 93330 [details] [diff] [review]
proposed fix
sr=jband. A comment wouldn't hurt.
|
|
Assignee | |
Comment 11•23 years ago
|
||
Fixed on the trunk. Another one for the eventual js1.5 landing on the 1.0
branch....
/be
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
|
||
Comment 12•23 years ago
|
||
Verified Fixed
On WinNT, Linux, I built the JS shell using jband's C testcase
above in place of js.c. Before the fix for this bug, I experienced:
WINNT
debug, opt shell both crashed on startup
LINUX
debug shell crashed on startup (but opt shell did not: why?)
After this fix, the testcase passed; i.e. I got no crash on
startup in either debug or optimized mode, on WinNT or Linux -
Status: RESOLVED → VERIFIED
|
||
Updated•20 years ago
|
Flags: testcase-
You need to log in
before you can comment on or make changes to this bug.
Description
•