Closed Bug 657586 Opened 13 years ago Closed 13 years ago

TI: Crash [@ js::types::TypeFailure] involving missing type in object #3:26:Object set: #2

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

(function() {
    with([]) {}
    Object.defineProperty([], "", {
        set: (function() {})
    })
})()

crashes js debug shell on JM changeset 8aa5d9272628 with -m and -n at js::types::TypeFailure

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   69785:f18e992f6ec8
user:        Brian Hackett
date:        Mon May 16 16:15:37 2011 -0700
summary:     [INFER] Move addTypeProperty barriers under obj->setProperty, obj->defineProperty, bug 619693.
When defining native properties we weren't updating the type information for properties with a method barrier.  Weird this didn't show up in jit-tests or jstests, but it looks like it did on tinderbox.

http://hg.mozilla.org/projects/jaegermonkey/rev/97f9e3274bd5
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::types::TypeFailure]
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.