The following testcase crashes on mozilla-central revision 0e269a1f1beb (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --baseline-eager): var lfcode = new Array(); lfcode.push(` var wm = new WeakMap(); oomAfterAllocations(10); var foo = {}; wm.set(foo, 'FOO').get(myObj.p1 !== "x1"); `); var file = lfcode.shift(); loadFile(file) function loadFile(lfVarx) { eval("(function() { " + lfVarx + " })();"); } Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000bd82d5 in js::WeakMapBase::~WeakMapBase (this=this@entry=0x7ffff6903700, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42 #0 0x0000000000bd82d5 in js::WeakMapBase::~WeakMapBase (this=this@entry=0x7ffff6903700, __in_chrg=<optimized out>) at js/src/jsweakmap.cpp:42 #1 0x0000000000c05fe3 in ~WeakMap (this=0x7ffff6903700, __in_chrg=<optimized out>) at js/src/jsweakmap.h:111 #2 js::ObjectValueMap::~ObjectValueMap (this=0x7ffff6903700, __in_chrg=<optimized out>) at js/src/vm/WeakMapObject.h:15 #3 0x0000000000bf79b2 in js_delete<js::ObjectValueMap> (p=0x7ffff6903700) at ../../dist/include/js/Utility.h:254 #4 SetWeakMapEntryInternal (cx=0x7ffff6907000, mapObj=..., key=..., value=...) at js/src/jsweakmap.cpp:362 #5 0x0000000000c064ec in WeakMap_set_impl (cx=0x7ffff6907000, args=...) at js/src/jsweakmap.cpp:407 #6 0x0000000000bf7c9a in CallNonGenericMethod<IsWeakMap, WeakMap_set_impl> (args=..., cx=0x7ffff6907000) at ../../dist/include/js/CallNonGenericMethod.h:100 #7 js::WeakMap_set (cx=0x7ffff6907000, argc=2, vp=<optimized out>) at js/src/jsweakmap.cpp:417 #8 0x00000000006d0b92 in js::CallJSNative (cx=0x7ffff6907000, native=0xbf7bd0 <js::WeakMap_set(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #9 0x00000000006b7c32 in js::Invoke (cx=cx@entry=0x7ffff6907000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:773 #10 0x00000000006b8b79 in js::Invoke (cx=cx@entry=0x7ffff6907000, thisv=..., fval=..., argc=argc@entry=2, argv=argv@entry=0x7fffffff9ec8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:828 #11 0x00000000008ddb2a in js::jit::DoCallFallback (cx=0x7ffff6907000, frame=0x7fffffff9f28, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9eb8, res=...) at js/src/jit/BaselineIC.cpp:10016 #12 0x00007ffff7feebdf in ?? () #13 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6903700 140737330034432 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9530 140737488327984 rsp 0x7fffffff9520 140737488327968 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffff92e0 140737488327392 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff6907000 140737330049024 r13 0x7fffffff96e0 140737488328416 r14 0x7fffffff9720 140737488328480 r15 0x7ffff6903700 140737330034432 rip 0xbd82d5 <js::WeakMapBase::~WeakMapBase()+261> => 0xbd82d5 <js::WeakMapBase::~WeakMapBase()+261>: movl $0x2a,0x0 0xbd82e0 <js::WeakMapBase::~WeakMapBase()+272>: callq 0x498930 <abort()>

Use AutoInitGCManagedObject to avoid triggering assertions about GC lifetime.

Comment on attachment 8646981 [details] [diff] [review] bug1193039 Review of attachment 8646981 [details] [diff] [review]: ----------------------------------------------------------------- Nice!