As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact
Last Comment Bug 728722 - Crash [@ js::ArrayBuffer::obj_lookupGeneric]
: Crash [@ js::ArrayBuffer::obj_lookupGeneric]
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz 686296 745452
  Show dependency treegraph
Reported: 2012-02-19 12:18 PST by Gary Kwong [:gkw] [:nth10sd]
Modified: 2012-08-21 10:15 PDT (History)
6 users (show)
gary: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack (11.28 KB, text/plain)
2012-02-19 12:18 PST, Gary Kwong [:gkw] [:nth10sd]
no flags Details

Description User image Gary Kwong [:gkw] [:nth10sd] 2012-02-19 12:18:42 PST
Created attachment 598688 [details]

JSON.__proto__[1] = Uint8ClampedArray().buffer
f = (function() {
    function g(c) {
        Object.freeze(c).__proto__ = c
    for each(b in []) {
        try {
        } catch (e) {}

crashes js 32-bit debug and opt shell on m-c changeset 24f2c7e26fbd without any CLI arguments with too much recursion at js::ArrayBuffer::obj_lookupGeneric
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2012-02-19 12:38:56 PST
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   85066:8a915ca62e05
user:        Tom Schuster
date:        Sat Jan 21 19:25:54 2012 +0100
summary:     Bug 686296 - Non-extensible ArrayBuffer __proto__ should not be changable. r=jorendorff
Comment 2 User image Gary Kwong [:gkw] [:nth10sd] 2012-02-19 13:06:31 PST
On closer examination, bug 686296 might not be the only patch involved - it just turned the testcase in comment 0 from an assert into a too much recursion crash.
Comment 3 User image Jesse Ruderman 2012-03-30 10:05:49 PDT
See also bug 740872.
Comment 4 User image Gary Kwong [:gkw] [:nth10sd] 2012-07-31 22:55:24 PDT
Probably fixed by bug 770344, in any case the test was added in bug 779215. -> RESOLVED / VERIFIED FIXED

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   99553:7a26f7c820bd
user:        Jeff Walden
date:        Wed Jun 27 18:35:56 2012 -0700
summary:     Bug 770344 - Experiment implementing __proto__ as an accessor.  r=luke

Note You need to log in before you can comment on or make changes to this bug.