var a = []; var s = "ABCDEFGHIJKLMNOPQRSTUVWXYZ123456"; for (var i = 0; i < 60000000; ++i) a.push(s); "" + a; takes about 20 seconds with -j, then causes malloc to complain: "pointer being freed was not allocated". Looks like GrowTo's realloc fails, GrowTo deletes mBegin, and then the destructor deletes mBegin again. Which should be responsible for deleting mBegin in an OOM situation, GrowTo or the destructor?

Oh dear. I tested for this, but that was before I too-hastily slapped in the POD-handling special case. Your diagnosis is correct; growTo should not be freeing on realloc failure, since the destructor will do that instead. Thanks!

Jesse, nice work.

Comment on attachment 388368 [details] [diff] [review] remove free on realloc Ugh, how'd I miss this...

http://hg.mozilla.org/tracemonkey/rev/d1b9ec46733f with obscured commit message, not that it matters for anyone who ever takes a look at the change itself...