Crashing Mozilla (firefox 1.5)
This page demonstrates a bug which causes mozilla browsers(firefox 1.5) to crash.
It seems to be a problem with setting the __proto__ property of a function object and running that function.
The crash-code:
function f(){
var x;
function g(){
x=1; //refference anything here or mozilla will not crash.
}
}
//apply an object to the __proto__ attribute
f.__proto__={}; //= [];
//the following call will cause mozilla to crash
f();
}
To play with the code you can also run it in jsolait-live
I do understand that mozilla is using the __proto__ property on objects for it's prototype chain handling. Though, as neither mozilla's JavaScript specs nor the !ECMAScript specs disallow the use of such properties in the user's script using such properties should neither crash the script execution nor crash the entire browser.
The prototype chain handling should not depend on the __proto__ it should rather use an internal object not directly visible to the script. Prototype chain handling could sill be made accessable to the script by providing function (e.g. as functions like setProto(obj, newProto) and {{{getProto(obj)}}) This way overwriting even those functions will neither affect the script nor the prototype chain handling. A script could still implement the __proto__ property by using getters and setters. The advantage would be that the __proto__ object would only exsist in that script and cause no problems to other scripts.
Please do correct me if I am wrong about the above.
Jan
