Created attachment 563647 [details]
The attached testcase asserts js debug shell on JM changeset 44ef245b8706 and m-c changeset db9e99d537f2 with -m, -a and -n at Assertion failure: codeArray[offset], and crashes js opt shell at js_InternalInterpret
This was found using a combination of jsfunfuzz and jandem's method fuzzer.
Since it seems to be a null deref, assuming sg:dos and locking s-s to be safe.
Created attachment 563650 [details]
Created attachment 565103 [details] [diff] [review]
Use of GET_JUMP_OFFSET which did not watch for JOF_JUMPX opcodes. No other suspicious uses of GET_JUMP_OFFSET in analysis/compilation code, though I'd kind of like to kill GET_JUMP_OFFSET / GET_JUMP_OFFSETX completely and use a common function to compute offsets for both.
Automatically extracted testcase for this bug was committed: