Created attachment 43870 [details] Repro Repro: <SCRIPT> new WebGLArrayBuffer().byteLength; </SCRIPT>
This is a Chromium-specific bug. There is confusion in the V8 bindings between the case where you fetch a preexisting WebGLArrayBuffer object (for example, WebGLArray.buffer) or call the WebGLArrayBuffer constructor with no arguments (new WebGLArrayBuffer()). As far as I know, there is currently no way to distinguish between these two cases, so we guess incorrectly and end up with a partially initialized JavaScript object. I'll need to consult with the V8 team to understand how to fix this issue. In the interim, I'm lowering this to P2 because it isn't the highest priority issue.
Then maybe we should close this bug and use the Chrome bug (http://code.google.com/p/chromium/issues/detail?id=28821) to track it, or open a new v8 bug?
This is definitely the right place for this bug since any fix will have to go into the WebKit repository. After looking more at the JSC bindings I see what I was doing incorrectly in the V8 bindings for this constructor. Patch to follow.
Created attachment 44347 [details] Patch Fixed bug in handling of zero-argument constructor call.
style-queue ran check-webkit-style on attachment 44347 [details] without any errors.
Comment on attachment 44347 [details] Patch r=me.
Comment on attachment 44347 [details] Patch Clearing flags on attachment: 44347 Committed r51785: <http://trac.webkit.org/changeset/51785>
All reviewed patches have been landed. Closing bug.