The following testcase asserts on mozilla-central revision d697d649c765 (run with --no-threads --fuzzing-safe --ion-eager): function $ERROR(message) {} function runTestCase() { $ERROR(); } loadFile("String = Array;"); function range(n, m) { var result = []; return result; } function assertStructuralEq(e1) { if (e1 instanceof Array) {} } function assertParallelExecSucceeds(opFunction) { while (true) { opFunction(); break; } } function assertArraySeqParResultsEq(arr, op, func) { var e = arr[op].apply(arr, [func]); assertParallelExecSucceeds(function (r) { assertStructuralEq(e); }); } loadFile("assertArraySeqParResultsEq(range(0, 1024), 'map', function() { return c.foo; });"); function testcase(x) {} runTestCase(testcase); function newFunc(x) { new Function(x)(); }; newFunc("prototype($ERROR[5], 0); (typeof String.prototype.length )"); function loadFile(lfVarx) { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) evaluate(lfVarx, { noScriptRval : true, compileAndGo : true }); }

Crash trace: Program received signal SIGSEGV, Segmentation fault. constant (valOut=0x7fffffffb740, constraints=0x169dcb8, this=0x7fffffffb6e0) at js/src/jsinfer.cpp:1802 1802 Value val = object()->singleton()->nativeGetSlot(shape->slot()); #0 constant (valOut=0x7fffffffb740, constraints=0x169dcb8, this=0x7fffffffb6e0) at js/src/jsinfer.cpp:1802 #1 js::types::TemporaryTypeSet::propertyIsConstant (this=<optimized out>, constraints=0x169dcb8, id=..., valOut=0x7fffffffb740) at js/src/jsinfer.cpp:1933 #2 0x0000000000649748 in getPropTryInferredConstant (name=0x7ffff7e1c2b0, obj=0x1772ed8, emitted=0x7fffffffb74f, this=0x169dd30) at js/src/jit/IonBuilder.cpp:8784 #3 js::jit::IonBuilder::jsop_getprop (this=0x169dd30, name=0x7ffff7e1c2b0) at js/src/jit/IonBuilder.cpp:8681 #4 0x000000000064cd82 in js::jit::IonBuilder::inspectOpcode (this=0x169dd30, op=<optimized out>) at js/src/jit/IonBuilder.cpp:1674 #5 0x000000000064dbd4 in js::jit::IonBuilder::traverseBytecode (this=0x169dd30) at js/src/jit/IonBuilder.cpp:1281 #6 0x000000000064e607 in build (this=0x169dd30) at js/src/jit/IonBuilder.cpp:748 #7 js::jit::IonBuilder::build (this=0x169dd30) at js/src/jit/IonBuilder.cpp:640 rbp 0x9699418 157914136 => 0x765f03 <js::types::TemporaryTypeSet::propertyIsConstant(js::types::CompilerConstraintList*, jsid, JS::Value*)+387>: mov 0x0(%rbp),%rax Looks like rbp has been overwritten/clobbered, marking sec-critical.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/3a545eb9828b user: Brian Hackett date: Tue Aug 26 12:30:36 2014 -0700 summary: Bug 894596 - Bake constant valued object properties into jitcode when possible, r=jandem, patch mostly written by djvj. This iteration took 333.475 seconds to run.

Needinfo from djvj, also cc'ing bhackett for help :)

jsfunfuzz is hitting this quite a lot, setting [fuzzblocker].

JSBugMon: The testcase found in this bug no longer reproduces (tried revision f7a27a866c47).

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/91c1baf5b733 user: Brian Hackett date: Sun Sep 07 10:27:31 2014 -0600 summary: Bug 1063598 - Infer constant properties even when the type property has not yet been instantiated, r=jandem. This iteration took 362.682 seconds to run.

Brian, is the patch in comment 8 a likely fix for this issue too?

(In reply to Christian Holler (:decoder) from comment #9) > Brian, is the patch in comment 8 a likely fix for this issue too? Yeah.

Fixed by bug 1063598.

-> FIXED because there is a known fix.

JSBugMon: This bug has been automatically verified fixed.

Does this impact ESR?