Bug 509075 - add crashtest

js/src/xpconnect/crashtests/509075-1.html

@@ -0,0 +1,28 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
+<html>
+  <script>
+
+    var txt = document.createTextNode("");
+    var b = document.createElement("b");
+    var w = b["watch"];
+    var txtdg = txt["__lookupGetter__"];
+    w["__defineGetter__"]("toString",txtdg);
+    var obj = {
+      variable: 910,
+      fun: function() {
+        w["toString"]();
+      }
+    };
+
+    function vuln()
+    {
+      window.status = "" + obj.variable;
+      try{
+        obj.fun();
+      }catch(er){}
+      return obj;
+    }
+
+    var ret = vuln();
+  </script>
+</html>

js/src/xpconnect/crashtests/crashtests.list

@@ -21,6 +21,7 @@ load 475185-1.html
 load 475291-1.html
 load 503286-1.html
 load 504000-1.html
+load 509075-1.html
 load 512815-1.html
 load 545291-1.html
 load 558979.html