Closed
Bug 709067
Opened 13 years ago
Closed 13 years ago
JS Correctness: Another issue with/without TI and defineProperty/prototype
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: testcase, Whiteboard: [qa!] js-triage-needed)
Attachments
(1 file)
|
1.94 KB,
patch
|
luke
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following test produces different output with options "-m -a" vs. "-m -a -n" on mozilla-central revision 63bff373cb94:
Object.defineProperty(Object.prototype, 0, {set: function() { this.abstract; }});
function testStringify() {
var t = true;
var a = [];
a[0] = "" + t;
return a.join(",");
}
print(testStringify());
Output:
$ $JS -m -a min.js
$ $JS -m -a -n min.js
true
The test looks like bug 706808 but that is fixed already.
|
||
Updated•13 years ago
|
|
Assignee | |
Comment 1•13 years ago
|
||
Similar issue to bug 706808, but affecting indexed array properties --- setters were only getting called when directly on Array.prototype, and non-writable prototype properties were getting ignored entirely.
Assignee: general → bhackett1024
Attachment #580459 -
Flags: review?(luke)
|
||
Updated•13 years ago
|
Attachment #580459 -
Flags: review?(luke) → review+
|
|
Assignee | |
Comment 2•13 years ago
|
||
|
|
||
Comment 3•13 years ago
|
||
Brian, do you think we should nominate this for 10?
|
|
Assignee | |
Comment 4•13 years ago
|
||
Comment on attachment 580459 [details] [diff] [review]
patch
Sure.
Attachment #580459 -
Flags: approval-mozilla-aurora?
|
||
Comment 5•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
|
||
Comment 6•13 years ago
|
||
(In reply to Brian Hackett (:bhackett) from comment #4)
> Comment on attachment 580459 [details] [diff] [review]
> patch
>
> Sure.
[Triage Comment]
Can you help us understand the risk involved with this patch? Thanks!
|
|
Assignee | |
Comment 7•13 years ago
|
||
The problem here is similar to bug 706808, with a similar (small) risk.
Comment on attachment 580459 [details] [diff] [review]
patch
Approved for mozilla-aurora. Please land today.
Attachment #580459 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 9•13 years ago
|
||
Target Milestone: mozilla11 → mozilla10
|
|
||
Updated•13 years ago
|
status-firefox10:
--- → fixed
status-firefox11:
--- → fixed
|
||
Comment 10•13 years ago
|
||
Ubuntu 11.04 64 bit
I built Spidermonkey for the latest beta (rev d46a4577a631) and run the test from comment #0: same output is produced in both cases (-m -a -n and -m -a):
./js -m -a -n test709067
./js -m -a test709067
Marking verified for Firefox 11.
Status: RESOLVED → VERIFIED
Whiteboard: [qa+] js-triage-needed → [qa!] js-triage-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•