The following testcase asserts on mozilla-central revision cd2acc7ab2f8 (run with --no-threads --fuzzing-safe): test = (function () { function f() { [1,2,3,4,5]; }; return "var obj = { x : 2 };" + f.toSource() + "; f()"; })(); evalWithCache(test, {}); function evalWithCache(code, ctx) { code = cacheEntry(code); ctx.compileAndGo = true; var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } })); var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } })); }

I've also seen multiple crashes with evalWithCache, with different signatures. I think we once had a bug open about evalWithCache not being fuzz-safe, but I can't find it. If this issue is shell only, it would be nice if it could be fixed there (or added to the list of unsafe functions, which will prevent it from being tested of course).

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/9605a571ca8a user: Brian Hackett date: Tue Aug 19 22:25:37 2014 -0800 summary: Bug 934450 - Allow objects to have copy on write elements, r=billm,jandem. This iteration took 572.411 seconds to run.

Needinfo from Brian based on comment 2.

DR doesn't work on copy on write arrays, which is something that can't happen in the browser (since only non-CNG scripts are XDR'ed) but was exposed by this testcase. It would be nice to be able to support this though, as this patch does.

Comment on attachment 8478023 [details] [diff] [review] patch Review of attachment 8478023 [details] [diff] [review]: ----------------------------------------------------------------- Please add the testcase in comment 0 (ideally it should also test correctness somehow).