While working on D2412 I discovered a SpiderMonkey segfault described in #5636.
As of rP22856 one can trigger a segfault with this optimization:
diff --git a/binaries/data/mods/public/gui/lobby/lobby.js b/binaries/data/mods/public/gui/lobby/lobby.js index 66a3de4d14..aaa4df4dbe 100644 --- a/binaries/data/mods/public/gui/lobby/lobby.js +++ b/binaries/data/mods/public/gui/lobby/lobby.js @@ -196,9 +196,7 @@ var g_NetMessageTypes = { }, "leave": msg => { addChatMessage({ - "text": "/special " + sprintf(translate("%(nick)s has left."), { - "nick": msg.nick - }), + "text": "/special " + sprintf(translate("%(nick)s has left."), msg), "time": msg.time, "isSpecial": true });
It seems to be a SpiderMonkey segfault as described in the ticket.
Updating the sprintf file removes the triggering of the segfault, so the optimization could be used then, and the crash can still be reproduced reliably (by reverting this), fixed and confirmed.
The update won't hide the bug nor make it harder to fix, but it allows using that optimization before.
As described in the ticket, it was this sprintf changeset in particular https://github.com/alexei/sprintf.js/commit/61c795624204883948c0e19f8af208f5359e6fdb#diff-13ed28d46a5f76f4d44561850bda81bb
diff --git a/src/sprintf.js b/src/sprintf.js index ccb78d8..1ade05d 100644 --- a/src/sprintf.js +++ b/src/sprintf.js @@ -41,7 +41,7 @@ if (ph.keys) { // keyword argument arg = argv[cursor] for (k = 0; k < ph.keys.length; k++) { - if (!arg.hasOwnProperty(ph.keys[k])) { + if (arg[ph.keys[k]] === undefined) { throw new Error(sprintf('[sprintf] property "%s" does not exist', ph.keys[k])) } arg = arg[ph.keys[k]]