The assertion at the start of Value::setObject has a special case to allow you to pass 0x48, since that's used to create a special value in ObjectValueCrashOnTouch(). Let's remove this case and make clients use PoisonedObjectValue() instead.
Created attachment 8908211 [details] [diff] [review] bug1399933-remove-crash-on-touch This patch also moves PoisonedObjectValue() to the 'js' namespace. It's not used outside the engine.
Attachment #8908211 - Flags: review?(sphink)
Attachment #8908211 - Flags: review?(sphink) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/5c1007b062e3 Replace use of ObjectValueCrashOnTouch with PoisonedObjectValue r=sfink
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox57: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in before you can comment on or make changes to this bug.