gczeal(4) function f3() {} function f2() { s = [] for (var k = 0; k < 9; ++k) { print(f3(uneval(s))) } } try { try { (function() { function f1() {} f2(f1) })() } catch (e) {} try { m } catch (e) {} s = "" print(h) } catch (e) {} try { a } catch (e) {} try { v(")") } catch (e) {} try { v = this.o.t() } catch (e) {} try { print(c) let c } catch (e) {} $ ./js-dbg-64-dm-clang-darwin-560b2c805bf7 --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js undefined undefined undefined undefined undefined undefined undefined undefined undefined undefined $ ./js-dbg-64-dm-clang-darwin-560b2c805bf7 --fuzzing-safe --no-threads --ion-eager testcase.js undefined undefined undefined undefined undefined undefined undefined undefined undefined Tested this on m-c rev 560b2c805bf7. My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-debug --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic" -r 560b2c805bf7 Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/cb6fc6d38f8d user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Rewrite the frontend: bindings. (r=jorendorff,Waldo) changeset: https://hg.mozilla.org/mozilla-central/rev/18bec78f348e user: Shu-yu Guo date: Thu Aug 25 01:28:47 2016 -0700 summary: Bug 1263355 - Report memory metrics for Scopes. (r=njn) Note that the difference in output involve the number of times "undefined" was printed, i.e. 10x vs 9x Shu-yu, is bug 1263355 a likely regressor?

Preferably this should also be backported to mozilla-aurora...

The bug is this: when marking Interpreter frames, JSScript::calculateLiveFixed is used and dead fixed slots on the frame are set to 'undefined'. The verify prebarriers zeal setting was triggering Interpreter frames to be marked right after frame slots were put into TDZ. Since the TDZ opcodes were outside of the extent of the lexical scope according to scope note, the slot that was just put into TDZ was considered dead and set to 'undefined'.

Comment on attachment 8793981 [details] [diff] [review] Fix scope notes for lexical scopes. Review of attachment 8793981 [details] [diff] [review]: ----------------------------------------------------------------- Thanks to patient lessons from shu on IRC, I am finally able to grasp what is going on here.

Pushed by shu@rfrn.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/51e9c4c3a8ee Fix scope notes for lexical scopes. (r=sfink)