try { var x for (x in <x>></x>) gczeal(2) new NaN } catch(e) {} (function() { for (a in [Boolean(), x.t]) {} } (function() {})) crashes js debug shell on JM changeset 8a0513a5c024 with -m at js::mjit::ic::GetProp Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000036 0x00000036 in ?? () (gdb) bt #0 0x00000036 in ?? () Cannot access memory at address 0x36 #1 0x0023f7cf in js::mjit::ic::GetProp (f=@0xbfffe4f0, index=0) at ../methodjit/PolyIC.cpp:1867 #2 0x005c93b6 in ?? () #3 0x001fd3bd in js::mjit::JaegerShot (cx=0x60a5a0) at ../methodjit/MethodJIT.cpp:664 #4 0x000a9f11 in js::Interpret (cx=0x60a5a0, entryFrame=0x10000a8, inlineCallCount=1) at ../jsinterp.cpp:4804 #5 0x000bca5e in js::RunScript (cx=0x60a5a0, script=0x60be60, fun=0x0, scopeChain=0x1402000) at jsinterp.cpp:468 #6 0x000be3c3 in js::Execute (cx=0x60a5a0, chain=0x1402000, script=0x60be60, down=0x0, flags=0, result=0x0) at jsinterp.cpp:944 #7 0x0001719a in JS_ExecuteScript (cx=0x60a5a0, obj=0x1402000, script=0x60be60, rval=0x0) at ../jsapi.cpp:4744 #8 0x0000c6c6 in Process (cx=0x60a5a0, obj=0x1402000, filename=0xbffff973 "debugOnlyJSObjGetPropertyCrash.js", forceTTY=0) at ../../shell/js.cpp:442 #9 0x0000d43b in ProcessArgs (cx=0x60a5a0, obj=0x1402000, argv=0xbffff860, argc=2) at ../../shell/js.cpp:862 #10 0x0000d554 in shell (cx=0x60a5a0, argc=2, argv=0xbffff860, envp=0xbffff86c) at ../../shell/js.cpp:5151 #11 0x0000d678 in main (argc=2, argv=0xbffff860, envp=0xbffff86c) at ../../shell/js.cpp:5247 (gdb) x/i $eip 0x36: Cannot access memory at address 0x36

Great test case. GETPROP PIC was resetting the type check jump to the wrong sync block. I took the opportunity to make the GETPROP syncing code a little nicer.

fix that pretties up callprop as well

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug589108.js.