Closed
Bug 366468
Opened 18 years ago
Closed 18 years ago
Trying to set a value on a property without a setter crashes (Assertion failure: !SPROP_HAS_STUB_SETTER(sprop), at m:/trunk/mozilla/js/src/jsobj.c:3697)
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha8
People
(Reporter: WeirdAl, Assigned: brendan)
Details
(5 keywords)
Attachments
(2 files)
|
8.25 KB,
text/plain
|
Details | |
|
3.24 KB,
patch
|
mrbkap
:
review+
jay
:
approval1.8.1.2+
jay
:
approval1.8.0.10+
|
Details | Diff | Splinter Review |
<field name="_invalidMessage">null</field>
<property name="invalidMessage" readonly="true">
<getter>return this._invalidMessage;</getter>
</property>
this.invalidMessage = "foo" ==> crash
Stack trace coming up.
|
Reporter | |
Comment 1•18 years ago
|
||
|
||
Comment 2•18 years ago
|
||
The following testcase crashes a current js shell:
function o(){} o.prototype = {get foo() {}}; obj = new o(); obj.foo = 2;Assignee: general → general
Component: XBL → JavaScript Engine
QA Contact: ian → general
|
||
Updated•18 years ago
|
Flags: blocking1.9?
|
Assignee | |
Comment 3•18 years ago
|
||
This is familiar. /be
|
|
Assignee | |
Comment 4•18 years ago
|
||
This is just an assertion fix and a comment improvement, so I'm gonna check in with tachyonal r+mrbkap. /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
OS: Windows XP → All
Priority: -- → P1
Hardware: PC → All
Resolution: --- → FIXED
|
||
Updated•18 years ago
|
Attachment #251005 -
Flags: review?(mrbkap) → review+
|
|
Reporter | |
Updated•18 years ago
|
Flags: in-testsuite?
|
|
||
Comment 5•18 years ago
|
||
Brendan: looks like you checked in the patch for bug 363040 when you checked this bug's patch in.
|
|
Assignee | |
Comment 6•18 years ago
|
||
(In reply to comment #5) > Brendan: looks like you checked in the patch for bug 363040 when you checked > this bug's patch in. I was being clever with `!!` to generate the list of files to commit, and a rogue cvs crawled my working tree's cwd and kids. I ctrl-C'ed but not in time. Just as well, since that Array.reduce patch had r+. Thanks for the heads up. /be
|
|
Assignee | |
Comment 7•18 years ago
|
||
Yesterday was "empty overfull working js/src.bench tree" for me: I also committed the debugger support thread safety patch for bug 324010. Should be good, glad my !! was not what I thought it was! /be
|
|
Assignee | |
Comment 8•18 years ago
|
||
This assertion and comment fix should follow the followup fix in bug 366396 into the 1.8 and 1.8.0 branches. /be
|
|
Assignee | |
Comment 9•18 years ago
|
||
Comment on attachment 251005 [details] [diff] [review] Oops Assertion and comment fixes, won't affect release build, wanted for consistency with trunk. /be
Attachment #251005 -
Flags: approval1.8.1.2?
Attachment #251005 -
Flags: approval1.8.0.10?
|
||
Updated•18 years ago
|
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
|
||
Comment 10•18 years ago
|
||
Comment on attachment 251005 [details] [diff] [review] Oops Approved for both branches, a=jay for drivers.
Attachment #251005 -
Flags: approval1.8.1.2?
Attachment #251005 -
Flags: approval1.8.1.2+
Attachment #251005 -
Flags: approval1.8.0.10?
Attachment #251005 -
Flags: approval1.8.0.10+
|
|
Assignee | |
Comment 11•18 years ago
|
||
Fixed, see bug 366396 comment 7. /be
Keywords: fixed1.8.0.10,
fixed1.8.1.2
|
||
Comment 12•18 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-366468.js,v <-- regress-366468.js initial revision: 1.1
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 13•18 years ago
|
||
verified fixed 1.8.0, 1.8.1, 1.9.0 2007-01-23 win/mac*/linux
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Updated•18 years ago
|
Flags: blocking1.9?
You need to log in
before you can comment on or make changes to this bug.
Description
•