Closed
Bug 950568
Opened 11 years ago
Closed 11 years ago
Baseline crash after { document.__proto__= null; }
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla29
People
(Reporter: jruderman, Assigned: efaust)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
With: user_pref("javascript.options.baselinejit.unsafe_eager_compilation", true); Crash [@ js::ObjectImpl::isNative] The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/8ba79063973d user: Eric Faust date: Fri Dec 13 12:01:30 2013 -0800 summary: Bug 926012 - Part 2: Allow __proto__ sets on proxies. (r=Waldo)
Reporter | ||
Comment 1•11 years ago
|
||
Assignee | ||
Comment 3•11 years ago
|
||
This is a really silly one. We just didn't do a nullcheck on the proto coming out of a DOM proxy, since it wasn't settable and wasn't null before. Now it's settable. Oops. Fix also removes unused local variable, |isDOMProxy| as random nearby cleanup.
Assignee: nobody → efaustbmo
Status: NEW → ASSIGNED
Attachment #8348263 -
Flags: review?(kvijayan)
Flags: needinfo?(efaustbmo)
Updated•11 years ago
|
Attachment #8348263 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8500bb462515
https://hg.mozilla.org/mozilla-central/rev/8500bb462515
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Comment 6•11 years ago
|
||
Reproduced in nightly 2013-12-15 but with a different signature [@ js::jit::EffectlesslyLookupProperty ]. Verified fixed 29.0a1 2013-12-18, Win 7 x64.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•