|
6.61 KB,
text/plain
|
Details |
(function () {
[] = x = /x/;
x.toString = Function.prototype.bind;
print(x)
})()
crashes js debug and opt shell on TM changeset 6c8becdd1574 without -m nor -j.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 64672:0906d9490eaf
user: Jeff Walden
date: Mon Mar 28 20:01:53 2011 -0700
summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke
Bug 635389 may be related, I'm filing separate because they have different regression windows.
|
(Reporter) | |
Updated•6 years ago
|
||
|
|
(Reporter) | |
Comment 1•6 years ago
|
||
Created attachment 524841 [details]
stack|
|
(Reporter) | |
Comment 2•6 years ago
|
||
(In reply to comment #0) > Bug 635389 may be related, I'm filing separate because they have different > regression windows. The more I look at the stacks, the more I suspect this is another manifestation of bug 635389, even though that bug doesn't have .bind and this one does. I'll leave it to others more knowledgeable to confirm this dupe.
|
|
(Reporter) | |
Updated•6 years ago
|
||
|
||
Comment 3•6 years ago
|
||
toString would call bind, that would throw because |this| wasn't callable, then it'd try to be helpful and stringify |this| for the error message, lather, rinse, repeat. Fixed by bug 601709, which removed this errant stringification that's not at all part of the spec, and which also removes the possibility of recurring solely via built-in methods.
|
||
Updated•6 years ago
|
||
|
||
Comment 4•5 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Description
•