Closed Bug 950568 Opened 6 years ago Closed 6 years ago

Baseline crash after { document.__proto__= null; }

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla29

People

(Reporter: jruderman, Assigned: efaust)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

Attached file testcase
With:
  user_pref("javascript.options.baselinejit.unsafe_eager_compilation", true);

Crash [@ js::ObjectImpl::isNative]

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/8ba79063973d
user:        Eric Faust
date:        Fri Dec 13 12:01:30 2013 -0800
summary:     Bug 926012 - Part 2: Allow __proto__ sets on proxies. (r=Waldo)
Attached file stack
Needinfo from Eric :)
Flags: needinfo?(efaustbmo)
Attached patch FixSplinter Review
This is a really silly one. We just didn't do a nullcheck on the proto coming out of a DOM proxy, since it wasn't settable and wasn't null before.

Now it's settable. Oops.

Fix also removes unused local variable, |isDOMProxy| as random nearby cleanup.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Attachment #8348263 - Flags: review?(kvijayan)
Flags: needinfo?(efaustbmo)
Attachment #8348263 - Flags: review?(kvijayan) → review+
https://hg.mozilla.org/mozilla-central/rev/8500bb462515
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Reproduced in nightly 2013-12-15 but with a different signature [@ js::jit::EffectlesslyLookupProperty ].
Verified fixed 29.0a1 2013-12-18, Win 7 x64.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.