TM: incorrect value when printing "arguments"

VERIFIED FIXED

Status

()

VERIFIED FIXED
9 years ago
7 years ago

People

(Reporter: jruderman, Assigned: dmandelin)

Tracking

(Blocks: 1 bug, {testcase, verified1.9.2})

Trunk
x86
Mac OS X
testcase, verified1.9.2
Points:
---
Bug Flags:
wanted1.9.2 +
in-testsuite +

Firefox Tracking Flags

(status1.9.2 beta1-fixed)

Details

(Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
(function(){ var arguments = 3; for (var j=0;j<4;++j) print(arguments); } )()

3
3
3
6.3669234573e-314

(First JIT correctness bug found by jsfunfuzz!)
(Assignee)

Comment 1

9 years ago
Created attachment 394610 [details] [diff] [review]
Patch
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #394610 - Flags: review?
Attachment #394610 - Flags: review? → review+
(Reporter)

Updated

9 years ago
Whiteboard: [sg:critical?]
(Assignee)

Comment 2

9 years ago
Pushed to TM as 750e909e4433.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
(Why is this "sg:critical?"  And was this seen on m-c or only in tracemonkey?  Just trying to figure out how to read the recent surge in JS sg:crit(?) count.)
(Reporter)

Comment 4

9 years ago
When I see the JS engine treat a non-double as a double, I think it's likely that worse things could happen due to the same bug.  See bug 489682, for example.

Comment 5

9 years ago
http://hg.mozilla.org/mozilla-central/rev/750e909e4433
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 6

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/26fa8c455a20
status1.9.2: --- → beta1-fixed
Flags: wanted1.9.2+

Comment 7

9 years ago
js/src/trace-test/tests/basic/bug510434.js
Flags: in-testsuite+

Comment 8

9 years ago
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Group: core-security
You need to log in before you can comment on or make changes to this bug.