Bug 1524707 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
The following testcase crashes on mozilla-central revision 024bef408a88 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

```
%testcase%
```

Backtrace:

#0  js::GlobalObject::setOriginalEval (this=0x13525a18b060, evalobj=<optimized out>) at js/src/vm/GlobalObject.h:144
#1  FinishObjectClassInit (cx=0x7fe5d2017000, ctor=..., proto=...) at js/src/builtin/Object.cpp:2154
#2  0x000055723c2e5cb4 in js::GlobalObject::resolveConstructor (cx=0x7fe5d2017000, global=..., key=JSProto_Object, mode=<optimized out>) at js/src/vm/GlobalObject.cpp:281
#3  0x000055723c359521 in js::GlobalObject::ensureConstructor (cx=<optimized out>, key=JSProto_Object, global=...) at js/src/vm/GlobalObject.h:169
#4  js::SetPrototype (cx=0x7fe5d2017000, obj=..., proto=..., result=...) at js/src/vm/JSObject.cpp:2803
#5  0x000055723c33eec2 in js::SetPrototype (cx=0x7fe5d2017000, obj=..., proto=...) at js/src/vm/JSObject.cpp:2846
/snip

For detailed crash information, see attachment.
Revision 1 by
on 
The following testcase crashes on mozilla-central revision 024bef408a88 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

```
Object.setPrototypeOf(evalcx("lazy"), {});
```

Backtrace:

#0  js::GlobalObject::setOriginalEval (this=0x13525a18b060, evalobj=<optimized out>) at js/src/vm/GlobalObject.h:144
#1  FinishObjectClassInit (cx=0x7fe5d2017000, ctor=..., proto=...) at js/src/builtin/Object.cpp:2154
#2  0x000055723c2e5cb4 in js::GlobalObject::resolveConstructor (cx=0x7fe5d2017000, global=..., key=JSProto_Object, mode=<optimized out>) at js/src/vm/GlobalObject.cpp:281
#3  0x000055723c359521 in js::GlobalObject::ensureConstructor (cx=<optimized out>, key=JSProto_Object, global=...) at js/src/vm/GlobalObject.h:169
#4  js::SetPrototype (cx=0x7fe5d2017000, obj=..., proto=..., result=...) at js/src/vm/JSObject.cpp:2803
#5  0x000055723c33eec2 in js::SetPrototype (cx=0x7fe5d2017000, obj=..., proto=...) at js/src/vm/JSObject.cpp:2846
/snip

For detailed crash information, see attachment.

Back to Bug 1524707 Comment 0