Bug 1519612 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

The following testcase crashes on mozilla-central revision 3aec75953c28 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion -D):

// jsfunfuzz-generated
x = [""];
// Adapted from randomly chosen test: js/src/jit-test/tests/promise/unhandled-rejections-error.js
Promise.reject(
    {
        toSource() {
            throw "";
        }
    }
);

Backtrace:

#0  js::CheckForInterrupt (cx=0x7fae07918000) at js/src/vm/JSContext-inl.h:288
#1  0x000055d1d55591b9 in array_toSource (cx=0x7fae07918000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1207
#2  0x000055d1d5501950 in CallJSNative (cx=0x7fae07918000, native=0x55d1d5558e60 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444
#3  0x000055d1d54f1f4d in js::InternalCallOrConstruct (cx=0x7fae07918000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:536
#4  0x000055d1d54f2abd in js::Call (cx=0x7fae08abc680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607
#5  0x000055d1d56b00bf in js::Call (cx=0x7fae07918000, fval=..., thisObj=<optimized out>, rval=...) at js/src/vm/Interpreter.h:91
/snip

For detailed crash information, see attachment.
The following testcase crashes on mozilla-central revision 3aec75953c28 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion -D):

```
// jsfunfuzz-generated
x = [""];
// Adapted from randomly chosen test: js/src/jit-test/tests/promise/unhandled-rejections-error.js
Promise.reject(
    {
        toSource() {
            throw "";
        }
    }
);
```

Backtrace:

#0  js::CheckForInterrupt (cx=0x7fae07918000) at js/src/vm/JSContext-inl.h:288
#1  0x000055d1d55591b9 in array_toSource (cx=0x7fae07918000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1207
#2  0x000055d1d5501950 in CallJSNative (cx=0x7fae07918000, native=0x55d1d5558e60 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444
#3  0x000055d1d54f1f4d in js::InternalCallOrConstruct (cx=0x7fae07918000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:536
#4  0x000055d1d54f2abd in js::Call (cx=0x7fae08abc680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607
#5  0x000055d1d56b00bf in js::Call (cx=0x7fae07918000, fval=..., thisObj=<optimized out>, rval=...) at js/src/vm/Interpreter.h:91
/snip

For detailed crash information, see attachment.

Back to Bug 1519612 Comment 0