Closed Bug 842482 Opened 11 years ago Closed 11 years ago

Crash with array buffer from other global

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox21 + fixed
firefox22 --- fixed

People

(Reporter: jruderman, Assigned: terrence)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

Attachments

(3 files)

stack
4.10 KB, text/plain
Details
browser testcase (crashes Firefox when loaded)
258 bytes, text/html
Details
v0
1.61 KB, patch
bhackett1024
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file stack 
var g = newGlobal();
new g.DataView(new g.ArrayBuffer());

The first bad revision is:
changeset:   5ddd827d87ec
user:        Terrence Cole
date:        Tue Feb 12 11:50:49 2013 -0800
summary:     Bug 839215 - Make large typedarrays singletons more aggressively; r=bhackett
Crash Signature: [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()]
bp-87414cc9-6485-46e0-9bc7-a2bcf2130219
Crash Signature: [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()] → [@ js::EncapsulatedPtr<JSFunction, unsigned long>::operator JSFunction*()] [@ js::types::UseNewTypeForInitializer(JSContext*, JSScript*, unsigned char*, JSProtoKey) ]
OS: Mac OS X → All
Hardware: x86_64 → All
Passing on to Terrence as this may be a fallout from 839215 per description . Please feel free to reassign if needed.
Assignee: general → terrence
Attached patch v0Splinter Review 

        Attachment #717941 -
        Flags: review?(bhackett1024)

        Attachment #717941 -
        Flags: review?(bhackett1024) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/5bb4e4ea6977
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla22

    
    

    
  
Comment on attachment 717941 [details] [diff] [review]
v0

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 839215
User impact if declined: Crash on cross-global typedarray creation.
Testing completed (on m-c, etc.): Fuzz test checked into mozilla-inbound.
Risk to taking this patch (and alternatives if risky): Zero. This is a trivial crash fix.
String or UUID changes made by this patch: None.

        Attachment #717941 -
        Flags: approval-mozilla-aurora?

        Attachment #717941 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: