Closed Bug 690732 Opened 14 years ago Closed 14 years ago

TI: Assertion failure: nativeContains(cx, *shape), at jsscope.cpp:891

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: decoder, Assigned: bhackett1024)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

patch
3.51 KB, patch
luke
: review+
Details | Diff | Splinter Review
The following test asserts on jaegermonkey revision 174db15b3f05 (options -m -n -a): var o4 = Object.freeze({ set: function(summary) {} });
Attached patch patchSplinter Review
methodShapeChange could return a stale shape not actually in the object if the method was the object's last property. This also fixes a (longstanding) weirdness where methodShapeChange tolerated being called on a non-method shape. https://hg.mozilla.org/projects/jaegermonkey/rev/636842dccfc9
Assignee: general → bhackett1024
Attachment #570005 - Flags: review?(luke)
Attachment #570005 - Flags: review?(luke) → review+
Old JM branch bug, marking as fixed.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug690732.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: