Last Comment Bug 653789 - Crash [@ js_CheckForStringIndex] or [@ js::DefaultValue]
: Crash [@ js_CheckForStringIndex] or [@ js::DefaultValue]
Status: RESOLVED FIXED
fixed-in-tracemonkey
: crash, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla6
Assigned To: Jeff Walden [:Waldo] (remove +bmo to email)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: jsfunfuzz 645468
  Show dependency treegraph
 
Reported: 2011-04-29 11:41 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-01-19 14:19 PST (History)
6 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
stacks (5.94 KB, text/plain)
2011-04-29 11:41 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
Patch and tests (5.37 KB, patch)
2011-04-29 14:01 PDT, Jeff Walden [:Waldo] (remove +bmo to email)
luke: review+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2011-04-29 11:41:42 PDT
Created attachment 529152 [details]
stacks

__defineGetter__("x", eval);
eval.toString = toLocaleString
eval < x

crashes js debug shell on TM changeset 3dd6ec45084c without -m nor -j at js_CheckForStringIndex and crashes js opt shell at js::DefaultValue
Comment 1 Jeff Walden [:Waldo] (remove +bmo to email) 2011-04-29 14:01:49 PDT
Created attachment 529203 [details] [diff] [review]
Patch and tests

toLocaleString can straightforwardly recur through all-native functions.  Also, it didn't implement the spec algorithm.  Funny, that, how methods not written in the steps of the spec turn out to be buggy.
Comment 2 Jeff Walden [:Waldo] (remove +bmo to email) 2011-04-29 14:04:15 PDT
Oh, a simpler test:

"" + { toString: Object.prototype.toLocaleString };
Comment 3 Luke Wagner [:luke] 2011-05-10 14:20:43 PDT
Comment on attachment 529203 [details] [diff] [review]
Patch and tests

Oops, I missed the initial review request.  Nice test.
Comment 4 Jeff Walden [:Waldo] (remove +bmo to email) 2011-05-11 10:25:42 PDT
http://hg.mozilla.org/tracemonkey/rev/897963a18985

I noticed before landing that I had another test which I'd somehow forgotten to add to the patch.  It's basically comment 2, so not too tricky to need a look or anything.
Comment 5 Gary Kwong [:gkw] [:nth10sd] 2011-06-18 07:33:56 PDT
This already landed on mozilla-central some time ago.

http://hg.mozilla.org/mozilla-central/rev/897963a18985
Comment 6 Christian Holler (:decoder) 2013-01-19 14:19:58 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.