Closed
Bug 596128
Opened 13 years ago
Closed 13 years ago
crash [@JSObject::removeProperty] navigating away from greyhound.com
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla2.0b6
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta7+ |
People
(Reporter: Gavin, Assigned: brendan)
References
Details
(Keywords: crash, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.12 KB,
patch
|
jorendorff
:
review+
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
This looks similar to bug 595365, but I still see it on current m-c tip (revision 3f91f47a29a8). I can reproduce it in a clean profile. STR: 1) Load http://www.greyhound.com 2) Click any link, or close the browser window
|
Reporter | |
Updated•13 years ago
|
blocking2.0: --- → ?
|
|
Reporter | |
Comment 1•13 years ago
|
||
Crashes from the latest Mac nightly: bp-7701acdd-0c30-4dbe-b572-880f42100913 bp-b22193b2-dd36-4b33-b2bd-998122100913 bp-2735675e-07fd-43b8-a748-4e0822100913
|
Assignee | |
Updated•13 years ago
|
Assignee: general → brendan
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #475166 -
Flags: review?(jorendorff)
|
|
Assignee | |
Updated•13 years ago
|
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: x86 → All
Target Milestone: --- → mozilla2.0b6
|
|
Assignee | |
Comment 4•13 years ago
|
||
Comment on attachment 475166 [details] [diff] [review] d'oh! I had thought the method jit used PropertyCache::fill This is needed but not sufficient. More in a bit. /be
Attachment #475166 -
Attachment is obsolete: true
Attachment #475166 -
Flags: review?(jorendorff)
|
|
Assignee | |
Comment 5•13 years ago
|
||
This is a straight-up fix. I need to develop a shell test, but this should go into tm and m-c ASAP. /be
Attachment #475410 -
Flags: review?(jorendorff)
|
||
Updated•13 years ago
|
Attachment #475410 -
Flags: review+
|
|
Assignee | |
Comment 6•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/5a9a613aa6e3 Sorry about the inaccurate commit message! /be
Flags: in-testsuite?
Whiteboard: fixed-in-tracemonkey
|
|
Assignee | |
Comment 7•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6dfa6a7c94e0 I will keep this bug open to do the tests. /be
|
||
Updated•13 years ago
|
blocking2.0: ? → beta7+
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 9•13 years ago
|
||
This change looks fine but I'd like to chat with a JM hacker about this code. Any volunteers?
|
|
||
Updated•13 years ago
|
Attachment #475410 -
Flags: review?(jorendorff) → review+
|
||
Updated•13 years ago
|
Crash Signature: [@JSObject::removeProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•