Closed
Bug 683999
Opened 13 years ago
Closed 13 years ago
"Assertion failure: hasSingletonType()" in JSObject::splicePrototype (jsinfer.cpp)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-jaegermonkey)
Attachments
(3 files)
Assertion failure: hasSingletonType(), at js/src/jsinfer.cpp:5071
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
TI adds a JS_SplicePrototype API function which allows XPConnect to rearrange the prototype chain while preserving precise types for global properties etc. This is only intended to be used for objects with singleton types (where we can do this rearranging), but because of mutable __proto__ other objects may get passed in instead. Fix makes this function robust for such objects.
Attachment #558530 -
Flags: review?(dvander)
|
|
||
Comment 3•13 years ago
|
||
http://hg.mozilla.org/projects/jaegermonkey/rev/f3dd7cf2d0b3
Whiteboard: fixed-in-jaegermonkey
|
||
Updated•13 years ago
|
Attachment #558530 -
Flags: review?(dvander) → review+
|
|
||
Comment 4•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9ca3d16d575c
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
||
Comment 5•11 years ago
|
||
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•