Bug 17925

Summary: Crash in KJS::JSObject::put after setting this.__proto__
Product: WebKit Reporter: Jesse Ruderman <jruderman>
Component: JavaScriptCoreAssignee: Mark Rowe (bdash) <mrowe>
Status: RESOLVED FIXED    
Severity: Critical CC: eric, mjs
Priority: P2 Keywords: HasReduction, InRadar
Version: 528+ (Nightly build)   
Hardware: Mac   
OS: OS X 10.5   
Bug Depends on:    
Bug Blocks: 13638    

Description Jesse Ruderman 2008-03-18 16:33:37 PDT 
Feeding this script to ToT Release/testkjs makes it crash.

this.__proto__ = 1; r = 2;
Comment 1 Mark Rowe (bdash) 2008-03-18 16:52:54 PDT 
<rdar://problem/5806428>
Comment 2 Mark Rowe (bdash) 2008-03-18 18:51:03 PDT 
Fixed in r31145.
Comment 3 Anders Carlsson 2008-05-27 16:04:59 PDT 
Reopening this since it still happens.
Comment 4 Anders Carlsson 2008-05-27 17:46:53 PDT 
Committed revision 34160.