Closed
Bug 856344
Opened 12 years ago
Closed 12 years ago
Crash [@ js::Proxy::has] with adopted <form>
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: jruderman, Assigned: billm)
References
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
text/plain
|
Details | |
|
(deleted),
patch
|
bhackett1024
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The first bad revision is:
changeset: http://hg.mozilla.org/mozilla-central/rev/c4a29b7a2ead
user: Bill McCloskey
date: Mon Mar 18 17:27:09 2013 -0700
summary: Bug 852667 - Permit passing #fixed slots to getInitialShape (r=bhackett)
bp-7d623037-eabc-4b20-b94b-f53cd2130330
|
Assignee | |
Updated•12 years ago
|
Assignee: general → wmccloskey
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Updated•12 years ago
|
tracking-firefox22:
--- → ?
|
||
Comment 2•12 years ago
|
||
We don't track all regressions - only those with significant user impact (security, stability, usability, etc.). This bug doesn't appear to meet that criteria at this stage.
|
|
Assignee | |
Comment 3•12 years ago
|
||
Not surprisingly I screwed up the TradeGuts logic. When we swap A and B, I was thinking that A and B would keep the same number of fixed slots. However, since the class is changing, the meaning of numFixedSlots() sort of changes too (since it depends on whether the class has a private pointer and such).
I think we're going to have to clear the nursery out before TradeGuts anyway, so we might as well use tenuredGetAllocKind() here. I checked the one other place where I changed the getInitialShape call, and it still seems correct.
Attachment #732087 -
Flags: review?(bhackett1024)
|
||
Comment 4•12 years ago
|
||
Comment on attachment 732087 [details] [diff] [review]
patch
Review of attachment 732087 [details] [diff] [review]:
-----------------------------------------------------------------
The nursery should definitely be cleared if either a or b is not tenured, I don't think it will need to be in other cases though, provided that the GC-triggering stuff like getInitialShape properly moves any pointers in reserved.
Attachment #732087 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
Assignee | |
Comment 6•12 years ago
|
||
Comment on attachment 732087 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 852667
User impact if declined: Crashes
Testing completed (on m-c, etc.): On m-c
Risk to taking this patch (and alternatives if risky): Very low--just restores code to former state.
String or IDL/UUID changes made by this patch: None.
Attachment #732087 -
Flags: approval-mozilla-aurora?
|
||
Comment 7•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Updated•12 years ago
|
Attachment #732087 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 8•12 years ago
|
||
status-firefox22:
--- → fixed
status-firefox23:
--- → fixed
|
||
Comment 9•11 years ago
|
||
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:22.0) Gecko/20100101 Firefox/22.0
Build ID: 20130618035212
Verified as fixed on Firefox 22 RC1 and there are also no crash reports in Socorro related with this signature.
|
|
||
Comment 10•11 years ago
|
||
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0
Build ID: 20130703181823
Verified as fixed on Firefox 23 beta 3.
You need to log in
before you can comment on or make changes to this bug.
Description
•