Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 657225 - TI: Crash [@ JSString::length]
: TI: Crash [@ JSString::length]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: ---
Assigned To: general
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: infer-regress langfuzz
  Show dependency treegraph
Reported: 2011-05-15 10:01 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:00 PST (History)
4 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description Christian Holler (:decoder) 2011-05-15 10:01:41 PDT
The following testcase crashes on TI revision 693a36f402ee (run with -m -n -a),
tested on 64 bit:

function reportCompare(expected, actual, description) + ++actual + "'";
var summary = 'Object.prototype.toLocaleString() should track Object.prototype.toString() ';
var o = {
    toString: function () {}
expect = o;
actual = o.toLocaleString();
reportCompare(expect, actual, summary);


==841== Invalid read of size 8
==841==    at 0x413D3E: JSString::length() const (jsstr.h:250)
==841==    by 0x505D4D: bool js::StringToNumberType<double>(JSContext*, JSString*, double*) (jsnum.h:646)
==841==    by 0x5053B2: js::ValueToNumberSlow(JSContext*, js::Value, double*) (jsnum.cpp:1293)
==841==    by 0x439D70: js::ValueToNumber(JSContext*, js::Value const&, double*) (jsnum.h:269)
==841==    by 0x795E71: js::mjit::stubs::Sub(js::VMFrame&) (StubCalls.cpp:1171)
==841==    by 0x41AEC1A: ???
==841==    by 0x6936D9: js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, js::Value*) (MethodJIT.cpp:880)
==841==    by 0x69381E: CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*) (MethodJIT.cpp:910)
==841==    by 0x6938FA: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:927)
==841==    by 0x4EE66F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:604)
==841==    by 0x4EFC4C: js::Execute(JSContext*, JSObject&, JSScript*, js::StackFrame*, unsigned int, js::Value*) (jsinterp.cpp:990)
==841==    by 0x434CE2: JS_ExecuteScript (jsapi.cpp:5166)
==841==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==841== Process terminating with default action of signal 11 (SIGSEGV)
Comment 1 Brian Hackett (:bhackett) 2011-05-15 23:35:12 PDT
Wrong type handler on Object.toLocaleString, it wraps the 'toString' property and is not guaranteed to produce a string.
Comment 2 Christian Holler (:decoder) 2013-01-14 08:00:11 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug657225.js.

Note You need to log in before you can comment on or make changes to this bug.