Closed Bug 557068 Opened 14 years ago Closed 14 years ago

JM: Crash [@ js::methodjit::JaegerShot]

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: crash, regression, testcase)

Crash Data

__defineGetter__("x", Function)
Function("\
  for each(let y in [Number, x, Number, x]) {\
    ''.replace(/a/, y.toSource)\
  }\
")()

crashes js debug and opt shell on JM tip with -m at a weird memory address with js::methodjit::JaegerShot near the top of the stack.
Here's another testcase:

for each(let x in [0, {}, 0, {}]) {
  x.valueOf
}
And finally, a third one:

for each(x in [new Boolean(false), {}, new Boolean(false), new Boolean(false)]) {
  __defineGetter__("", x.toSource)
}
Bonus fourth (pass into shell as a CLI argument):

function g(code) {
  return {
    z: code.indexOf("")
  }
}
function h(code) {
  wtt = g(code.replace(/s/, ""));
  try {
    var f = new Function(code)
  } catch(e) {}
  (wtt.z)
  {
    try {
      f()
    } catch(e) {}
  }
  try {
    Function(code)
  } catch(e) {}
}
function() {}
function() {}
h("__defineGetter__(\"x\",Function(\"gczeal(2)\"))")
h("{return x(function(){}[new Boolean])}")
h("")
h("}")
h("")
This looks like a PIC bug.
http://hg.mozilla.org/users/danderson_mozilla.com/jaegermonkey/rev/c5826c0f818f

More asm immediates that weren't constant size. Fortunately, Nitro has a feature to fix exactly this problem.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Crash Signature: [@ js::methodjit::JaegerShot]
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug557068.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.