Crash [@ js::ArrayBuffer::obj_lookupGeneric]

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
x86
Mac OS X
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
Created attachment 598688 [details]
stack

JSON.__proto__[1] = Uint8ClampedArray().buffer
f = (function() {
    function g(c) {
        Object.freeze(c).__proto__ = c
    }
    for each(b in []) {
        try {
            g(b)
        } catch (e) {}
    }
})
f()
f()

crashes js 32-bit debug and opt shell on m-c changeset 24f2c7e26fbd without any CLI arguments with too much recursion at js::ArrayBuffer::obj_lookupGeneric
(Reporter)

Comment 1

5 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   85066:8a915ca62e05
user:        Tom Schuster
date:        Sat Jan 21 19:25:54 2012 +0100
summary:     Bug 686296 - Non-extensible ArrayBuffer __proto__ should not be changable. r=jorendorff
Blocks: 686296
(Reporter)

Comment 2

5 years ago
On closer examination, bug 686296 might not be the only patch involved - it just turned the testcase in comment 0 from an assert into a too much recursion crash.

Comment 3

5 years ago
See also bug 740872.
(Reporter)

Comment 4

5 years ago
Probably fixed by bug 770344, in any case the test was added in bug 779215. -> RESOLVED / VERIFIED FIXED

autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   99553:7a26f7c820bd
user:        Jeff Walden
date:        Wed Jun 27 18:35:56 2012 -0700
summary:     Bug 770344 - Experiment implementing __proto__ as an accessor.  r=luke
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Whiteboard: js-triage-needed
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Blocks: 745452
You need to log in before you can comment on or make changes to this bug.