The following testcase crashes on TI revision 7dae91c263cf (run with -j -m -n), tested on 64 bit: try { for (var BUGNUMBER = 0, sz = Math.pow(2, 21); i < sz; i++) str += '0,'; } catch (exc1) {} var str = '['; for (var i = 0, BUGNUMBER; i < sz; i++) str += '0,'; var obj = { p: { __proto__: null }, }; for (var i = 0, sz = Math.pow(2, 21); i < sz; i++) str += '0,';

I got this to crash when the address space is randomized, but it won't crash in gdb. I turned off aslr and now it won't crash at all. Can you get this to crash in gdb? If so, do you have a shell I can ssh to?

No, this does not crash in GDB for me as well, but in Valgrind. Maybe it's possible to turn on ASLR in GDB? I'm on a train right now but can check later maybe.

There is a static type object which serves as the default type object for objects with no prototype. Similar to static strings, isMarked() cannot be called on this (its property types are unknown and it cannot have empty shapes, so nothing ever mutates it). When sweeping compartment tables for the types to associate with singleton/JSON objects, we didn't check for this static type object, under the assumption that elements of such objects were not mutants with non-standard prototypes. This situation was possible, though, as singletons were allowed to change their __proto__ so long as that prototype was itself a constant. This latter behavior is pretty goofy and liable to cause problems elsewhere, so the fix just treats any initializer mutating __proto__ as not constant. http://hg.mozilla.org/projects/jaegermonkey/rev/7ef2e842650c

Comment on attachment 554495 [details] [diff] [review] patch Review of attachment 554495 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsinfer.cpp @@ +2323,5 @@ > && (b.isPrimitive(JSVAL_TYPE_INT32) || b.isPrimitive(JSVAL_TYPE_DOUBLE)); > } > > +/* > + * As for GetValueType, but requires object types to be non-singletons with Was this meant to be "Same as for GetValueType"?

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug680217.js.