Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 690732 - TI: Assertion failure: nativeContains(cx, *shape), at jsscope.cpp:891
: TI: Assertion failure: nativeContains(cx, *shape), at jsscope.cpp:891
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2011-09-30 05:47 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:44 PST (History)
5 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (3.51 KB, patch)
2011-10-27 09:27 PDT, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-09-30 05:47:43 PDT
The following test asserts on jaegermonkey revision 174db15b3f05 (options -m -n -a):

var o4 = Object.freeze({ 
  set: function(summary) {}       
Comment 1 Brian Hackett (:bhackett) 2011-10-27 09:27:02 PDT
Created attachment 570005 [details] [diff] [review]

methodShapeChange could return a stale shape not actually in the object if the method was the object's last property.  This also fixes a (longstanding) weirdness where methodShapeChange tolerated being called on a non-method shape.
Comment 2 Christian Holler (:decoder) 2012-01-02 05:12:30 PST
Old JM branch bug, marking as fixed.
Comment 3 Christian Holler (:decoder) 2013-01-14 08:44:39 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug690732.js.

Note You need to log in before you can comment on or make changes to this bug.