The following testcase crashes on mozilla-central revision 3aec75953c28 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion -D): // jsfunfuzz-generated x = [""]; // Adapted from randomly chosen test: js/src/jit-test/tests/promise/unhandled-rejections-error.js Promise.reject( { toSource() { throw ""; } } ); Backtrace: #0 js::CheckForInterrupt (cx=0x7fae07918000) at js/src/vm/JSContext-inl.h:288 #1 0x000055d1d55591b9 in array_toSource (cx=0x7fae07918000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1207 #2 0x000055d1d5501950 in CallJSNative (cx=0x7fae07918000, native=0x55d1d5558e60 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444 #3 0x000055d1d54f1f4d in js::InternalCallOrConstruct (cx=0x7fae07918000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:536 #4 0x000055d1d54f2abd in js::Call (cx=0x7fae08abc680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607 #5 0x000055d1d56b00bf in js::Call (cx=0x7fae07918000, fval=..., thisObj=<optimized out>, rval=...) at js/src/vm/Interpreter.h:91 /snip For detailed crash information, see attachment.
Bug 1519612 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
The following testcase crashes on mozilla-central revision 3aec75953c28 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion -D): ``` // jsfunfuzz-generated x = [""]; // Adapted from randomly chosen test: js/src/jit-test/tests/promise/unhandled-rejections-error.js Promise.reject( { toSource() { throw ""; } } ); ``` Backtrace: #0 js::CheckForInterrupt (cx=0x7fae07918000) at js/src/vm/JSContext-inl.h:288 #1 0x000055d1d55591b9 in array_toSource (cx=0x7fae07918000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/Array.cpp:1207 #2 0x000055d1d5501950 in CallJSNative (cx=0x7fae07918000, native=0x55d1d5558e60 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:444 #3 0x000055d1d54f1f4d in js::InternalCallOrConstruct (cx=0x7fae07918000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:536 #4 0x000055d1d54f2abd in js::Call (cx=0x7fae08abc680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:607 #5 0x000055d1d56b00bf in js::Call (cx=0x7fae07918000, fval=..., thisObj=<optimized out>, rval=...) at js/src/vm/Interpreter.h:91 /snip For detailed crash information, see attachment.