Closed
Bug 721939
Opened 12 years ago
Closed 12 years ago
"Assertion failure: vp[1].isObject(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla13
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: js-triage-needed)
Attachments
(2 files)
1.64 KB,
text/plain
|
Details | |
703 bytes,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
a = Function.prototype.__proto__ a[3] = a x = 7; for each(d in []) { d.__noSuchMethod__ = Object.isSealed } Function("x.f()")() asserts js debug shell on m-c changeset 8a59519e137e with -m and -a at Assertion failure: vp[1].isObject(),
Reporter | ||
Comment 1•12 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 84323:16f0d80b3137 user: Brian Hackett date: Wed Jan 11 17:31:41 2012 -0800 summary: Account for all special CALLPROP behavior in inline cache stub, bug 717208. r=dvander
Blocks: 717208
Assignee | ||
Comment 2•12 years ago
|
||
__noSuchMethod__ seems to have the property that it shouldn't be called if the lvalue in the property access is not an object, but the way the property cache invokes GetPropertyOperation allowed __noSuchMethod__ to be called on primitives.
Assignee: general → bhackett1024
Attachment #593657 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #593657 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 3•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e62254ca31f8
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e62254ca31f8
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
You need to log in
before you can comment on or make changes to this bug.
Description
•