Closed Bug 678141 Opened 8 years ago Closed 8 years ago

TI: Crash [@ defaultValue]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

Attached file stack
c = {}.__proto__[1] = 3;
(function() {
    function b(a) {
        return a
    }
    for each(let z in [{}]) {
        print(new b(z))
    }
})()

crashes js opt shell on JM changeset e0b67d8cc908 with -m, -a and -n and patch v1 from bug 672892 at defaultValue, doesn't seem to show anything in debug.

This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Duplicate of this bug: 678455
When returning a value from a constructor in scripts with unknown type, we need to check for a primitive return and use the original constructed 'this' in such cases.  When doing this, we did not ensure that the 'this' value for the frame was synced, and could load from its (trash) address on primitive return.  Now that 'this' objects can be constructed in jitcode, the 'this' value is not always synced.

This issue does not show up in debug builds because we called a stub to check the argument and 'this' types after constructing 'this', which would force the value to be synced.  This patch moves that call up above construction of 'this' (losing checking for the 'this' type while constructing, oh well) so that regalloc will be consistent between debug and release modes.

http://hg.mozilla.org/projects/jaegermonkey/rev/409b62513ac6
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug678141.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.