If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

WebGLFloatArray constructor crashes if passed an uninitialized array [@ TypedArrayTemplate<float>::copyFrom] [@ JSObject::defaultValue]

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
8 years ago
6 years ago

People

(Reporter: Wladimir Palant, Unassigned)

Tracking

({crash})

Trunk
x86
Windows 7
crash
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

8 years ago
Typing in the following into the location bar triggers a crash:

javascript:new WebGLFloatArray(new Array(1))
javascript:var a = new Array(1);a.push(1);new WebGLFloatArray(a)

Crash reports (for the first and second testcase respectively):

bp-b426174d-060a-4623-b1e2-906f12100205
bp-14fc10e6-36c4-4061-90ed-42a642100205

I am filing this under JavaScript Engine since that's where the crash happens. The build I was using: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.3a1pre) Gecko/20100204 Minefield/3.7a1pre
Apparently this has been fixed, it's not crashing for me (linux x86-64).
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
(Reporter)

Comment 2

7 years ago
Confirmed, WORKSFORME on Mozilla/5.0 (Windows; U; Windows NT 6.1; WOW64; en-US; rv:1.9.3a6pre) Gecko/20100617 Minefield/3.7a6pre
Crash Signature: [@ TypedArrayTemplate<float>::copyFrom] [@ JSObject::defaultValue]
You need to log in before you can comment on or make changes to this bug.