Closed
Bug 745452
Opened 13 years ago
Closed 13 years ago
Infinite recursion crash with ArrayBuffer through js::ArrayBuffer::obj_lookupGeneric
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: decoder, Unassigned)
References
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed [jsbugmon:update,ignore])
The following test crashes on mozilla-central revision 55e7efcc1946 (no options required):
var o = Object.preventExtensions(new ArrayBuffer);
try { (function () { o.__proto__ = ({ __proto__: o, indexArray: ["abc"] }); })(); } catch(exc) {}
uneval(this);
Here's one cycle of the recursion that leads to the crash:
#250 0x0000000000543643 in LookupPropertyWithFlagsInline (cx=0xbaba90, obj=0x7ffff6115140, id=..., flags=1, objp=0x7fffffffc448, propp=0x7fffffffc440) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4696
#251 0x00000000005437ef in js_LookupProperty (cx=0xbaba90, obj=0x7ffff6105080, id=..., objp=0x7fffffffc448, propp=0x7fffffffc440) at /srv/repos/mozilla-central/js/src/jsobj.cpp:4731
#252 0x00000000004078f1 in JSObject::lookupGeneric (this=0x7ffff6105080, cx=0xbaba90, id=..., objp=0x7fffffffc448, propp=0x7fffffffc440) at ../../jsobjinlines.h:1019
#253 0x00000000005cc241 in js::ArrayBuffer::obj_lookupGeneric (cx=0xbaba90, obj=0x7ffff61031a0, id=..., objp=0x7fffffffc448, propp=0x7fffffffc440) at /srv/repos/mozilla-central/js/src/jstypedarray.cpp:359
#254 0x00000000004078f1 in JSObject::lookupGeneric (this=0x7ffff61031a0, cx=0xbaba90, id=..., objp=0x7fffffffc448, propp=0x7fffffffc440) at ../../jsobjinlines.h:1019
|
Reporter | |
Updated•13 years ago
|
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:update,bisect,bisectfix]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: js-triage-needed [jsbugmon:update,bisect,bisectfix] → js-triage-needed [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 2•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f9a8fdb08193).
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first good revision is:
changeset: 99553:7a26f7c820bd
user: Jeff Walden
date: Wed Jun 27 18:35:56 2012 -0700
summary: Bug 770344 - Experiment implementing __proto__ as an accessor. r=luke
|
|
Reporter | |
Comment 3•13 years ago
|
||
Likely fixed by bug 728722, marking as fixed.
|
|
Reporter | |
Comment 4•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•