The following testcase crashes on mozilla-central revision eab4a81e4457 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --baseline-eager --no-threads): function foo() { (function() { Object.preventExtensions(this); setJitCompilerOption("ion.warmup.trigger", 4); var g = newGlobal(); g.debuggeeGlobal = this; g.eval("(" + function () { dbg = new Debugger(debuggeeGlobal); dbg.onExceptionUnwind = function (frame, exc) { var s = '!'; for (var f = frame; f; f = f.older) debuggeeGlobal.log += s; }; } + ")();"); j('Number.prototype.toSource.call([])'); })(); } foo(); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::ShapeTable::search (this=0x7fffffffa340, id=$jsid("toSource"), adding=false) at js/src/vm/Shape.cpp:200 200 if (entry->isFree()) #0 js::ShapeTable::search (this=0x7fffffffa340, id=$jsid("toSource"), adding=false) at js/src/vm/Shape.cpp:200 #1 0x00000000005b31ba in js::Shape::search (cx=cx@entry=0x16c7fe0, start=0x7fffffff9bb0, id=$jsid("toSource"), pentry=pentry@entry=0x7fffffff9b80, adding=adding@entry=false) at js/src/vm/Shape-inl.h:78 #2 0x0000000000585dd8 in lookup (id=..., cx=0x16c7fe0, this=<optimized out>) at js/src/vm/NativeObject.cpp:263 #3 LookupOwnPropertyInline<(js::AllowGC)1> (donep=<synthetic pointer>, propp=0x0, id=$jsid("toSource"), obj=, cx=0x16c7fe0) at js/src/vm/NativeObject-inl.h:474 #4 NativeGetPropertyInline<(js::AllowGC)1> (vp=JSVAL_VOID, nameLookup=NotNameLookup, id=$jsid("toSource"), receiver=..., obj=, cx=0x16c7fe0) at js/src/vm/NativeObject.cpp:1909 #5 js::NativeGetProperty (cx=0x16c7fe0, obj=..., receiver=, id=$jsid(""), vp=JSVAL_VOID) at js/src/vm/NativeObject.cpp:1953 #6 0x00000000004af8fd in GetProperty (vp=..., id=..., receiver=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject.h:1425 #7 js::GetProperty (cx=<optimized out>, obj=..., receiver=..., name=<optimized out>, vp=...) at js/src/jsobj.h:845 #8 0x00000000008d4ae1 in js::ValueToSource (cx=0x16c7fe0, v=...) at js/src/jsstr.cpp:4263 #9 0x000000000089307b in js::DecompileValueGenerator (cx=0x16c7fe0, spindex=<optimized out>, v=$jsval(), fallbackArg=..., skipStackHits=<optimized out>) at js/src/jsopcode.cpp:1840 #10 0x000000000081b4d9 in js::ReportValueErrorFlags (cx=cx@entry=0x16c7fe0, flags=flags@entry=5, errorNumber=errorNumber@entry=42, spindex=spindex@entry=0, v=..., v@entry=$jsval(), fallback=..., arg1=arg1@entry=0x0, arg2=arg2@entry=0x0) at js/src/jscntxt.cpp:868 #11 0x000000000081b89b in JS::ObjectOpResult::reportStrictErrorOrWarning (this=0x7fffffff9f78, cx=0x16c7fe0, obj=..., id=..., strict=<optimized out>) at js/src/jsapi.cpp:153 #12 0x00007ffff7fe06fe in ?? () #13 0x00007fffffff9fa8 in ?? () #14 0x00007fffffff9f58 in ?? () #15 0x00007fffffffabe0 in ?? () #16 0x0000000000000000 in ?? () rax 0x7ffff7f027a8 140737353099176 rbx 0x7fffffff9bb0 140737488329648 rcx 0x16c8030 23887920 rdx 0x0 0 rsi 0x7ffff7e1c988 140737352157576 rdi 0x7fffffffa340 140737488331584 rbp 0xc49e31d5 3298701781 rsp 0x7fffffff9af8 140737488329464 r8 0xc49e 50334 r9 0x7ffff7ea02b8 140737352696504 r10 0x16c8030 23887920 r11 0x656d7265746e6928 7308623550362839336 r12 0x16c7fe0 23887840 r13 0x7fffffff9c70 140737488329840 r14 0x16c7ff8 23887864 r15 0x16c7fe0 23887840 rip 0x5721c1 <js::ShapeTable::search(jsid, bool)+49> => 0x5721c1 <js::ShapeTable::search(jsid, bool)+49>: mov (%rax),%r11 0x5721c4 <js::ShapeTable::search(jsid, bool)+52>: test %r11,%r11

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20150306174450" and the hash "56083b5a4473". The "bad" changeset has the timestamp "20150306182641" and the hash "62fecc6ab96e". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=56083b5a4473&tochange=62fecc6ab96e

Bisection includes a few different bugs, but mostly stuff from jorendorff. Jason, can you take a look if you regressed this, or if we need a closer bisection?

Bisecting manually. Thanks for the report, this is probably a big deal.

There's no great way to test for this. The given test case is just barely stable enough that it bisected correctly; trivial changes made the crash go away for me. This is because I just blew it and wasn't populating a register correctly; the resulting behavior is (I guess) pretty random. This is likely causing bug 1140737. Same regressing changeset, anyway.

Comment on attachment 8574978 [details] [diff] [review] Fix crashes with Ion and proxy set failure cases, caused by rev 0712a3d4b79c Review of attachment 8574978 [details] [diff] [review]: ----------------------------------------------------------------- Blech. I should have caught this the first time. r=me