Closed
Bug 672104
Opened 9 years ago
Closed 9 years ago
TI: Crash [@ JSObject::splicePrototype]
Categories
(Core :: JavaScript Engine, defect, critical)
Core
JavaScript Engine
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: gkw, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
|
3.00 KB,
text/plain
|
Details |
a = {}
b = __proto__
for (i = 0; i < 9; i++) {
__proto__ = a
a.__proto__ = b
}
crashes js debug shell on JM changeset a37127f33d22 with -n at an unknown location (because I haven't yet tested on other platforms).
|
Reporter | |
Comment 1•9 years ago
|
||
Just checked that it crashes on js 32-bit debug and opt shells on Linux at JSObject::splicePrototype on changeset 7f471e15146e with -n.
Crash Signature: [@ JSObject::splicePrototype]
OS: Windows 7 → All
Hardware: x86 → All
Summary: TI: Crash with testcase on Windows 7 → TI: Crash [@ JSObject::splicePrototype]
|
|
Reporter | |
Comment 2•9 years ago
|
||
|
||
Comment 3•9 years ago
|
||
It looks like with the lazy types introduced by bug 670185 we were not maintaining the list of instances of each type object correctly. This list was removed entirely by the second refactoring in bug 669969.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
|
||
Comment 4•7 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•