Closed Bug 657586 Opened 14 years ago Closed 14 years ago

TI: Crash [@ js::types::TypeFailure] involving missing type in object #3:26:Object set: #2

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

(function() { with([]) {} Object.defineProperty([], "", { set: (function() {}) }) })() crashes js debug shell on JM changeset 8aa5d9272628 with -m and -n at js::types::TypeFailure autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 69785:f18e992f6ec8 user: Brian Hackett date: Mon May 16 16:15:37 2011 -0700 summary: [INFER] Move addTypeProperty barriers under obj->setProperty, obj->defineProperty, bug 619693.
When defining native properties we weren't updating the type information for properties with a method barrier. Weird this didn't show up in jit-tests or jstests, but it looks like it did on tinderbox. http://hg.mozilla.org/projects/jaegermonkey/rev/97f9e3274bd5
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeFailure]
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.