Closed Bug 684348 Opened 13 years ago Closed 13 years ago

"Assertion failure: type_->proto->newType" with proxy freeze

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, testcase, Whiteboard: fixed-in-jaegermonkey)

Attachments

(2 files)

crash report
8.61 KB, text/plain
Details
patch
2.04 KB, patch
billm
: review+
Details | Diff | Splinter Review
Attached file crash report 
./js -n

var x = Proxy.create({ fix: function() { return []; } });
Object.__proto__ = x;
Object.freeze(x);
quit();

Triggers this assertion during shell shutdown:
  Assertion failure: type_->proto->newType, at js/src/jsinfer.cpp:5273

This is a regression from bug 669969 (rev dd84f621ca25 + rev cdb452875184).
Attached patch patchSplinter Review 
TradeGuts would swap the new types for the two objects, which it shouldn't do, violating an invariant that the prototype of a singleton object has a newType.  newType is cached data inline to the JSObject (the same as emptyShapes before it), not functional information.  Filed bug 684410 to remove newType entirely from JSObject.
Attachment #557997 - Flags: review?(wmccloskey)
Attachment #557997 - Flags: review?(wmccloskey) → review+
http://hg.mozilla.org/mozilla-central/rev/8385e0145b8d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: