Closed Bug 842482 Opened 10 years ago Closed 10 years ago
Crash with array buffer from other global
var g = newGlobal(); new g.DataView(new g.ArrayBuffer()); The first bad revision is: changeset: 5ddd827d87ec user: Terrence Cole date: Tue Feb 12 11:50:49 2013 -0800 summary: Bug 839215 - Make large typedarrays singletons more aggressively; r=bhackett
Crash Signature: [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()]
Crash Signature: [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()] → [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()] [@ js::types::UseNewTypeForInitializer(JSContext*, JSScript*, unsigned char*, JSProtoKey) ]
Passing on to Terrence as this may be a fallout from 839215 per description . Please feel free to reassign if needed.
Assignee: general → terrence
Attachment #717941 - Flags: review?(bhackett1024) → review+
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment on attachment 717941 [details] [diff] [review] v0 [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 839215 User impact if declined: Crash on cross-global typedarray creation. Testing completed (on m-c, etc.): Fuzz test checked into mozilla-inbound. Risk to taking this patch (and alternatives if risky): Zero. This is a trivial crash fix. String or UUID changes made by this patch: None.
Attachment #717941 - Flags: approval-mozilla-aurora?
Attachment #717941 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.