Closed Bug 856344 Opened 9 years ago Closed 9 years ago
Crash [@ js::Proxy::has] with adopted <form>
The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/c4a29b7a2ead user: Bill McCloskey date: Mon Mar 18 17:27:09 2013 -0700 summary: Bug 852667 - Permit passing #fixed slots to getInitialShape (r=bhackett) bp-7d623037-eabc-4b20-b94b-f53cd2130330
9 years ago
Assignee: general → wmccloskey
We don't track all regressions - only those with significant user impact (security, stability, usability, etc.). This bug doesn't appear to meet that criteria at this stage.
Not surprisingly I screwed up the TradeGuts logic. When we swap A and B, I was thinking that A and B would keep the same number of fixed slots. However, since the class is changing, the meaning of numFixedSlots() sort of changes too (since it depends on whether the class has a private pointer and such). I think we're going to have to clear the nursery out before TradeGuts anyway, so we might as well use tenuredGetAllocKind() here. I checked the one other place where I changed the getInitialShape call, and it still seems correct.
Attachment #732087 - Flags: review?(bhackett1024)
Comment on attachment 732087 [details] [diff] [review] patch Review of attachment 732087 [details] [diff] [review]: ----------------------------------------------------------------- The nursery should definitely be cleared if either a or b is not tenured, I don't think it will need to be in other cases though, provided that the GC-triggering stuff like getInitialShape properly moves any pointers in reserved.
Attachment #732087 - Flags: review?(bhackett1024) → review+
Comment on attachment 732087 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 852667 User impact if declined: Crashes Testing completed (on m-c, etc.): On m-c Risk to taking this patch (and alternatives if risky): Very low--just restores code to former state. String or IDL/UUID changes made by this patch: None.
Attachment #732087 - Flags: approval-mozilla-aurora?
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Attachment #732087 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:22.0) Gecko/20100101 Firefox/22.0 Build ID: 20130618035212 Verified as fixed on Firefox 22 RC1 and there are also no crash reports in Socorro related with this signature.
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0 Build ID: 20130703181823 Verified as fixed on Firefox 23 beta 3.
You need to log in before you can comment on or make changes to this bug.