Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 684348 - "Assertion failure: type_->proto->newType" with proxy freeze
: "Assertion failure: type_->proto->newType" with proxy freeze
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 326633 infer-regress 669969
  Show dependency treegraph
Reported: 2011-09-02 14:09 PDT by Jesse Ruderman
Modified: 2011-09-06 22:42 PDT (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

crash report (8.61 KB, text/plain)
2011-09-02 14:09 PDT, Jesse Ruderman
no flags Details
patch (2.04 KB, patch)
2011-09-02 17:30 PDT, Brian Hackett (:bhackett)
wmccloskey: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-09-02 14:09:49 PDT
Created attachment 557940 [details]
crash report

./js -n

var x = Proxy.create({ fix: function() { return []; } });
Object.__proto__ = x;

Triggers this assertion during shell shutdown:
  Assertion failure: type_->proto->newType, at js/src/jsinfer.cpp:5273

This is a regression from bug 669969 (rev dd84f621ca25 + rev cdb452875184).
Comment 1 Brian Hackett (:bhackett) 2011-09-02 17:30:08 PDT
Created attachment 557997 [details] [diff] [review]

TradeGuts would swap the new types for the two objects, which it shouldn't do, violating an invariant that the prototype of a singleton object has a newType.  newType is cached data inline to the JSObject (the same as emptyShapes before it), not functional information.  Filed bug 684410 to remove newType entirely from JSObject.
Comment 2 Brian Hackett (:bhackett) 2011-09-04 13:43:36 PDT
Comment 3 Brian Hackett (:bhackett) 2011-09-06 22:42:25 PDT

Note You need to log in before you can comment on or make changes to this bug.