Last Comment Bug 684348 - "Assertion failure: type_->proto->newType" with proxy freeze
: "Assertion failure: type_->proto->newType" with proxy freeze
Status: RESOLVED FIXED
fixed-in-jaegermonkey
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: general
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: 326633 infer-regress 669969
  Show dependency treegraph
 
Reported: 2011-09-02 14:09 PDT by Jesse Ruderman
Modified: 2011-09-06 22:42 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
crash report (8.61 KB, text/plain)
2011-09-02 14:09 PDT, Jesse Ruderman
no flags Details
patch (2.04 KB, patch)
2011-09-02 17:30 PDT, Brian Hackett (:bhackett)
wmccloskey: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-09-02 14:09:49 PDT
Created attachment 557940 [details]
crash report

./js -n

var x = Proxy.create({ fix: function() { return []; } });
Object.__proto__ = x;
Object.freeze(x);
quit();

Triggers this assertion during shell shutdown:
  Assertion failure: type_->proto->newType, at js/src/jsinfer.cpp:5273

This is a regression from bug 669969 (rev dd84f621ca25 + rev cdb452875184).
Comment 1 Brian Hackett (:bhackett) 2011-09-02 17:30:08 PDT
Created attachment 557997 [details] [diff] [review]
patch

TradeGuts would swap the new types for the two objects, which it shouldn't do, violating an invariant that the prototype of a singleton object has a newType.  newType is cached data inline to the JSObject (the same as emptyShapes before it), not functional information.  Filed bug 684410 to remove newType entirely from JSObject.
Comment 2 Brian Hackett (:bhackett) 2011-09-04 13:43:36 PDT
http://hg.mozilla.org/projects/jaegermonkey/rev/8385e0145b8d
Comment 3 Brian Hackett (:bhackett) 2011-09-06 22:42:25 PDT
http://hg.mozilla.org/mozilla-central/rev/8385e0145b8d

Note You need to log in before you can comment on or make changes to this bug.