Closed Bug 683999 Opened 14 years ago Closed 14 years ago

"Assertion failure: hasSingletonType()" in JSObject::splicePrototype (jsinfer.cpp)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(3 files)

testcase (asserts fatally when loaded)
320 bytes, text/html
Details
stack trace
7.26 KB, text/plain
Details
patch
1006 bytes, patch
dvander
: review+
Details | Diff | Splinter Review
Assertion failure: hasSingletonType(), at js/src/jsinfer.cpp:5071
Attached file stack trace
Attached patch patchSplinter Review
TI adds a JS_SplicePrototype API function which allows XPConnect to rearrange the prototype chain while preserving precise types for global properties etc. This is only intended to be used for objects with singleton types (where we can do this rearranging), but because of mutable __proto__ other objects may get passed in instead. Fix makes this function robust for such objects.
Attachment #558530 - Flags: review?(dvander)
Attachment #558530 - Flags: review?(dvander) → review+
https://hg.mozilla.org/mozilla-central/rev/9ca3d16d575c
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Filter on qa-project-auto-change: Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: