Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now) Reporter
	Description • 14 years ago

__defineSetter__("x",/a/)
Function("\
  for each(w in[0,0,0]) {\
    for each(y in[0,0,0,0,0,0,0,0,x,0,0,0,0,0,0,0,0,0,x,0,0,0,0,0,0,0,x]) {}\
  }\
")()

crashes js debug and opt shell on JM changeset 6347cf00d3ab with -m at js::mjit::JaegerShot

dbg output:

Program received signal SIGSEGV, Segmentation fault.
0xf76a8c4e in ?? ()
(gdb) bt
#0  0xf76a8c4e in ?? ()
#1  0x08212188 in js::mjit::JaegerShot (cx=0x8341b20) at ../methodjit/MethodJIT.cpp:696
#2  0x080d9892 in js::RunScript (cx=0x8341b20, script=0x83470d0, fun=0x0, scopeChain=0xf7502000) at ../jsinterp.cpp:466
#3  0x080da68b in js::Execute (cx=0x8341b20, chain=0xf7502000, script=0x83470d0, down=0x0, flags=0, result=0xffffd200) at ../jsinterp.cpp:954
#4  0x0806f9a4 in JS_ExecuteScript (cx=0x8341b20, obj=0xf7502000, script=0x83470d0, rval=0xffffd200) at ../jsapi.cpp:4737
#5  0x0804c207 in Process (cx=0x8341b20, obj=0xf7502000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534
#6  0x0804cd99 in ProcessArgs (cx=0x8341b20, obj=0xf7502000, argv=0xffffd408, argc=1) at ../../shell/js.cpp:861
#7  0x0805549d in shell (cx=0x8341b20, argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5010
#8  0x080555b9 in main (argc=1, argv=0xffffd408, envp=0xffffd410) at ../../shell/js.cpp:5106
(gdb) x/i $eip
=> 0xf76a8c4e:	add    %al,(%ecx)

opt output:

Program received signal SIGILL, Illegal instruction.
0xf76a8c32 in ?? ()
(gdb) x/i $eip
=> 0xf76a8c32:	(bad)

	Andrew Drake [:adrake]
	Comment 1 • 14 years ago

I'm pretty sure this is the same bug as https://bugzilla.mozilla.org/show_bug.cgi?id=584644 .

	David Anderson [:dvander] - inactive, e-mail if emergency
	Comment 2 • 14 years ago

Yup. Added test case: 
http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/690bcf4e1953

	Christian Holler (:decoder)
	Comment 3 • 12 years ago

A testcase for this bug was already added in the original bug (bug 584644).