Closed
Bug 596128
Opened 15 years ago
Closed 15 years ago
crash [@JSObject::removeProperty] navigating away from greyhound.com
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla2.0b6
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta7+ |
People
(Reporter: Gavin, Assigned: brendan)
References
Details
(Keywords: crash, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.12 KB,
patch
|
jorendorff
:
review+
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
This looks similar to bug 595365, but I still see it on current m-c tip (revision 3f91f47a29a8). I can reproduce it in a clean profile.
STR:
1) Load http://www.greyhound.com
2) Click any link, or close the browser window
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•15 years ago
|
||
Crashes from the latest Mac nightly:
bp-7701acdd-0c30-4dbe-b572-880f42100913
bp-b22193b2-dd36-4b33-b2bd-998122100913
bp-2735675e-07fd-43b8-a748-4e0822100913
|
Assignee | |
Updated•15 years ago
|
Assignee: general → brendan
|
|
Assignee | |
Comment 3•15 years ago
|
||
Attachment #475166 -
Flags: review?(jorendorff)
|
|
Assignee | |
Updated•15 years ago
|
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla2.0b6
|
|
Assignee | |
Comment 4•15 years ago
|
||
Comment on attachment 475166 [details] [diff] [review]
d'oh! I had thought the method jit used PropertyCache::fill
This is needed but not sufficient. More in a bit.
/be
Attachment #475166 -
Attachment is obsolete: true
Attachment #475166 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 5•15 years ago
|
||
This is a straight-up fix. I need to develop a shell test, but this should go into tm and m-c ASAP.
/be
Attachment #475410 -
Flags: review?(jorendorff)
|
||
Updated•15 years ago
|
Attachment #475410 -
Flags: review+
|
|
Assignee | |
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/5a9a613aa6e3
Sorry about the inaccurate commit message!
/be
Flags: in-testsuite?
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6dfa6a7c94e0
I will keep this bug open to do the tests.
/be
|
||
Updated•15 years ago
|
blocking2.0: ? → beta7+
|
||
Updated•15 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•15 years ago
|
||
This change looks fine but I'd like to chat with a JM hacker about this code. Any volunteers?
|
|
||
Updated•15 years ago
|
Attachment #475410 -
Flags: review?(jorendorff) → review+
|
||
Updated•14 years ago
|
Crash Signature: [@JSObject::removeProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•