Closed Bug 366468 Opened 13 years ago Closed 13 years ago

Trying to set a value on a property without a setter crashes (Assertion failure: !SPROP_HAS_STUB_SETTER(sprop), at m:/trunk/mozilla/js/src/jsobj.c:3697)

Categories

(Core :: JavaScript Engine, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla1.9alpha8

People

(Reporter: WeirdAl, Assigned: brendan)

Details

(5 keywords)

Attachments

(2 files)

<field name="_invalidMessage">null</field>      
      <property name="invalidMessage" readonly="true">
        <getter>return this._invalidMessage;</getter>
      </property>

this.invalidMessage = "foo" ==> crash

Stack trace coming up.
Attached file stack trace
The following testcase crashes a current js shell:
function o(){} o.prototype = {get foo() {}}; obj = new o(); obj.foo = 2;
Assignee: general → general
Component: XBL → JavaScript Engine
QA Contact: ian → general
Flags: blocking1.9?
Attached patch OopsSplinter Review
This is familiar.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #251005 - Flags: review?(mrbkap)
This is just an assertion fix and a comment improvement, so I'm gonna check in with tachyonal r+mrbkap.

/be
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Resolution: --- → FIXED
Attachment #251005 - Flags: review?(mrbkap) → review+
Flags: in-testsuite?
Brendan: looks like you checked in the patch for bug 363040 when you checked this bug's patch in.
(In reply to comment #5)
> Brendan: looks like you checked in the patch for bug 363040 when you checked
> this bug's patch in.

I was being clever with `!!` to generate the list of files to commit, and a rogue cvs crawled my working tree's cwd and kids.  I ctrl-C'ed but not in time.  Just as well, since that Array.reduce patch had r+.  Thanks for the heads up.

/be
Yesterday was "empty overfull working js/src.bench tree" for me: I also committed the debugger support thread safety patch for bug 324010.  Should be good, glad my !! was not what I thought it was!

/be
This assertion and comment fix should follow the followup fix in bug 366396 into the 1.8 and 1.8.0 branches.

/be
Comment on attachment 251005 [details] [diff] [review]
Oops

Assertion and comment fixes, won't affect release build, wanted for consistency with trunk.

/be
Attachment #251005 - Flags: approval1.8.1.2?
Attachment #251005 - Flags: approval1.8.0.10?
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Comment on attachment 251005 [details] [diff] [review]
Oops

Approved for both branches,  a=jay for drivers.
Attachment #251005 - Flags: approval1.8.1.2?
Attachment #251005 - Flags: approval1.8.1.2+
Attachment #251005 - Flags: approval1.8.0.10?
Attachment #251005 - Flags: approval1.8.0.10+
Fixed, see bug 366396 comment 7.

/be
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-366468.js,v  <--  regress-366468.js
initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.