Crash [@ js_CheckForStringIndex] or [@ js::DefaultValue]

RESOLVED FIXED in mozilla6

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: Waldo)

Tracking

(Blocks: 1 bug, {crash, regression, testcase})

Trunk
mozilla6
crash, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey, crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 529152 [details]
stacks

__defineGetter__("x", eval);
eval.toString = toLocaleString
eval < x

crashes js debug shell on TM changeset 3dd6ec45084c without -m nor -j at js_CheckForStringIndex and crashes js opt shell at js::DefaultValue
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla6
Created attachment 529203 [details] [diff] [review]
Patch and tests

toLocaleString can straightforwardly recur through all-native functions.  Also, it didn't implement the spec algorithm.  Funny, that, how methods not written in the steps of the spec turn out to be buggy.
Attachment #529203 - Flags: review?(luke)
Oh, a simpler test:

"" + { toString: Object.prototype.toLocaleString };
Blocks: 645468
OS: Linux → All
Hardware: x86 → All

Comment 3

6 years ago
Comment on attachment 529203 [details] [diff] [review]
Patch and tests

Oops, I missed the initial review request.  Nice test.
Attachment #529203 - Flags: review?(luke) → review+
http://hg.mozilla.org/tracemonkey/rev/897963a18985

I noticed before landing that I had another test which I'd somehow forgotten to add to the patch.  It's basically comment 2, so not too tricky to need a look or anything.
Whiteboard: fixed-in-tracemonkey
Crash Signature: [@ js_CheckForStringIndex] [@ js::DefaultValue]
(Reporter)

Comment 5

6 years ago
This already landed on mozilla-central some time ago.

http://hg.mozilla.org/mozilla-central/rev/897963a18985
Status: ASSIGNED → RESOLVED
Crash Signature: [@ js_CheckForStringIndex] [@ js::DefaultValue] → [@ js_CheckForStringIndex] [@ js::DefaultValue]
Last Resolved: 6 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.