Bug 35730
| Summary: | Crashes after delete Array.prototype | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Peter Leonov <gojpeg> |
| Component: | JavaScriptCore | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED WORKSFORME | ||
| Severity: | Normal | CC: | barraclough, xan.lopez |
| Priority: | P2 | ||
| Version: | 528+ (Nightly build) | ||
| Hardware: | Mac (Intel) | ||
| OS: | OS X 10.6 | ||
| URL: | http://lib.programica.ru/lib/tests/crash-safari.html | ||
Peter Leonov
This simplified test case crashes Safari 4.0.4 on my old Intel Mac (Core Duo, iMac 4,1) with all updates installed.
In the latest nightly build all is OK. On a new iMac with Core 2 Duo Safari does not crash at all ;)
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Peter Leonov
Cut from that page:
function blablabla (m)
{
[].push()
m.constructor === Array
}
function crash ()
{
Array.prototype.xxx6 = 123
blablabla(123)
delete Array.prototype.xxx6
blablabla([])
new Array().join()
{
[].sort()
}
}
crash()
Xan Lopez
I don't get a crash with ToT with that code.
Gavin Barraclough
Works for me too.