Bug 1526840 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

The following testcase crashes on mozilla-central revision 6a3edc353ef2 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

    x = 0n;
    function f(x) {
        if (x) {
          x = 0;
        }
        else {
          x = 0;
        }
    }
    y = [1, x];
    for (let j = 0; j < 2; ++j) {
        for (let k = 0; k < 2; ++k) {
            f(y[j]);
        }
    }

Backtrace:

#0  0x000029eca35cd883 in ?? ()
#1  0x000029eca34a5ac4 in ?? ()
#2  0x0000000000001043 in ?? ()
#3  0x00003e6c435b2a62 in ?? ()
#4  0x0000000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Unboxing type mismatch sound dangerous, setting s-s as a start.
The following testcase crashes on mozilla-central revision 6a3edc353ef2 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

    // Adapted from randomly chosen test: js/src/tests/test262/language/expressions/postfix-increment/bigint.js
    x = 0n;
    // jsfunfuzz-generated
    function f(x) {
        if (x) {
          x = 0;
        }
        else {
          x = 0;
        }
    }
    y = [1, x];
    for (let j = 0; j < 2; ++j) {
        for (let k = 0; k < 2; ++k) {
            f(y[j]);
        }
    }

Backtrace:

#0  0x000029eca35cd883 in ?? ()
#1  0x000029eca34a5ac4 in ?? ()
#2  0x0000000000001043 in ?? ()
#3  0x00003e6c435b2a62 in ?? ()
#4  0x0000000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Unboxing type mismatch sound dangerous, setting s-s as a start.
The following testcase crashes on mozilla-central revision 6a3edc353ef2 (build with --enable-debug, run with --fuzzing-safe --no-threads --ion-eager):

    // Adapted from randomly chosen test: js/src/tests/test262/language/expressions/postfix-increment/bigint.js
    x = 0n;
    // jsfunfuzz-generated
    function f(x) {
        if (x) {
          x = 0;
        }
        else {
          x = 0;
        }
    }
    y = [1, x];
    for (let j = 0; j < 2; ++j) {
        for (let k = 0; k < 2; ++k) {
            f(y[j]);
        }
    }

Backtrace:

#0  0x000029eca35cd883 in ?? ()
#1  0x000029eca34a5ac4 in ?? ()
#2  0x0000000000001043 in ?? ()
#3  0x00003e6c435b2a62 in ?? ()
#4  0x0000000000000000 in ?? ()
/snip

For detailed crash information, see attachment.

Unboxing type mismatch sounds dangerous, setting s-s as a start.

Back to Bug 1526840 Comment 0