Bug 6985

Summary: cyclic __proto__ values aren't caught
Product: WebKit Reporter: Ian 'Hixie' Hickson <ian>
Component: JavaScriptCoreAssignee: Eric Seidel (no email) <eric>
Status: RESOLVED FIXED    
Severity: Critical CC: gavin.sharp, ian
Priority: P1    
Version: 420+   
Hardware: PC   
OS: Linux   
URL: data:text/html,%3C%21DOCTYPE%20html%3E%0A%3Cscript%3E%0Avar%20o1%20%3D%20%7B%20p1%3A%201%20%7D%3B%0Avar%20o2%20%3D%20%7B%20p2%3A%202%20%7D%3B%0Ao2.__proto__%20%3D%20o1%3B%0Avar%20o3%20%3D%20%7B%20p3%3A%203%20%7D%3B%0Ao3.__proto__%20%3D%20o2%3B%0Ao1.__proto__%20%3D%20o3%3B%20//%20this%20hangs%0A%3C/script%3E
Bug Depends on:    
Bug Blocks: 13638    
Attachments:
Description Flags
the fix mjs: review+

Ian 'Hixie' Hickson
Reported 2006-01-31 16:34:40 PST
STEPS TO REPRODUCE Run the following JS: var o1 = { p1: 1 }; var o2 = { p2: 2 }; o2.__proto__ = o1; var o3 = { p3: 3 }; o3.__proto__ = o2; o1.__proto__ = o3; // this hangs ACTUAL RESULTS Hang. EXPECTED RESULTS It should raise an exception "cyclic __proto__ value".
Attachments
the fix (2.69 KB, patch)
2007-05-09 03:27 PDT, Eric Seidel (no email) 		mjs: review+
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Eric Seidel (no email)
Comment 1 2007-05-09 03:27:53 PDT
Created attachment 14427 [details] the fix
Eric Seidel (no email)
Comment 2 2007-05-09 03:32:48 PDT
As a reproducible crasher, this should be a P1.
Eric Seidel (no email)
Comment 3 2007-05-09 03:59:16 PDT
Fixed in r21332.
Maciej Stachowiak
Comment 4 2007-05-09 04:00:37 PDT
Comment on attachment 14427 [details] the fix r=me
Note You need to log in before you can comment on or make changes to this bug.