Closed Bug 856344 Opened 9 years ago Closed 9 years ago

Crash [@ js::Proxy::has] with adopted <form>

Categories

(Core :: JavaScript Engine, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla23
Tracking Status
firefox22 - verified
firefox23 --- verified

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/c4a29b7a2ead
user:        Bill McCloskey
date:        Mon Mar 18 17:27:09 2013 -0700
summary:     Bug 852667 - Permit passing #fixed slots to getInitialShape (r=bhackett)

bp-7d623037-eabc-4b20-b94b-f53cd2130330
Assignee: general → wmccloskey
Attached file stack (gdb)
We don't track all regressions - only those with significant user impact (security, stability, usability, etc.). This bug doesn't appear to meet that criteria at this stage.
Attached patch patchSplinter Review
Not surprisingly I screwed up the TradeGuts logic. When we swap A and B, I was thinking that A and B would keep the same number of fixed slots. However, since the class is changing, the meaning of numFixedSlots() sort of changes too (since it depends on whether the class has a private pointer and such).

I think we're going to have to clear the nursery out before TradeGuts anyway, so we might as well use tenuredGetAllocKind() here. I checked the one other place where I changed the getInitialShape call, and it still seems correct.
Attachment #732087 - Flags: review?(bhackett1024)
Comment on attachment 732087 [details] [diff] [review]
patch

Review of attachment 732087 [details] [diff] [review]:
-----------------------------------------------------------------

The nursery should definitely be cleared if either a or b is not tenured, I don't think it will need to be in other cases though, provided that the GC-triggering stuff like getInitialShape properly moves any pointers in reserved.
Attachment #732087 - Flags: review?(bhackett1024) → review+
Comment on attachment 732087 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 852667
User impact if declined: Crashes
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low--just restores code to former state.
String or IDL/UUID changes made by this patch: None.
Attachment #732087 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/785dd64cc822
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
Attachment #732087 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:22.0) Gecko/20100101 Firefox/22.0
Build ID: 20130618035212

Verified as fixed on Firefox 22 RC1  and there are also no crash reports in Socorro related with this signature.
Flags: in-testsuite?
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0
Build ID: 20130703181823

Verified as fixed on Firefox 23 beta 3.
You need to log in before you can comment on or make changes to this bug.