Created attachment 318482 [details]
I found this bug and reduced it. Jesse Ruderman helped to reduce it even more, till:
This command crashes at js_AtomToPrintableString with address 0x0000000000000013. It does not crash trunk js shell.
Nominating blocking126.96.36.199 per Brendan's advice.
Varying the length of the initial string produce different addresses, in comment #0 it is 13 (last few digits), I've seen 9 for shorter strings *and* strings with around 1500 characters, while some with lengths in between produce digits like e17 and 199.
If a suitably long initial string replaces "012345", it comes out with a "TypeError: redeclaration of const -144946491", and it changes to "TypeError: redeclaration of const 242614271" for an incredibly long string. Both cases with these TypeErrors don't crash though.
(In reply to comment #0)
> It does not crash trunk js shell.
(In reply to comment #2)
> Both cases with these TypeErrors don't crash though.
Correction: The js shells in these cases work as expected, this should be the correct phrase.
Blocking per Brendan, but is this really a security bug? If the offsets are all small offsets from 0 then likely not, but the fact that they vary based on input length is worrying.
Can you take this, Igor?
The bug is a dup of a trunk bug 371292 that was not nominated for the branch. I will do the branch fix there.
*** This bug has been marked as a duplicate of bug 371292 ***
I am moving 188.8.131.52 nomination to the bug 371292 as this bug is a duplicate of the latter.