python trace-test.py --valgrind-all ../debug/js putargsReturn.js and putargsNoReturn.js hit: Using Valgrind-3.6.0.SVN and LibVEX; rerun with -h for copyright info Command: ../debug/js -j -e const\ platform='darwin';\ const\ libdir='/Users/jruderman/tracemonkey/js/src/trace-test/lib/'; -f /Users/jruderman/tracemonkey/js/src/trace-test/lib/prolog.js -f /Users/jruderman/tracemonkey/js/src/trace-test/tests/basic/putargsReturn.js Invalid read of size 4 at 0x132E0A: bool NativeToValueBase<FailDoubleOOMHandler>(JSContext*, long&, JSTraceType_, double*) (jstracer.cpp:2668) by 0x133294: js_NativeToValue(JSContext*, long&, JSTraceType_, double*) (jstracer.cpp:2766) by 0x6011C: ArgGetter(JSContext*, JSObject*, long, long*) (jsfun.cpp:510) by 0xB58F0: JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) (jsscope.h:800) by 0xAF952: js_NativeGet (jsobj.cpp:4279) by 0xAFF63: js_GetPropertyHelper (jsobj.cpp:4460) by 0xB00D3: js_GetProperty (jsobj.cpp:4470) by 0x160F78: JSObject::getProperty(JSContext*, long, long*) (jsobj.h:267) by 0x85BA3: js_Interpret (jsops.cpp:1933) by 0x9971A: js_Execute (jsinterp.cpp:1599) by 0x1EB6B: JS_ExecuteScript (jsapi.cpp:4947) by 0x8472: Process(JSContext*, JSObject*, char*, int) (shell/js.cpp:436) Address 0xbfffcf98 is not stack'd, malloc'd or (recently) free'd

I want to kill the reserve double list really badly. Working on gregor's conservative stack scanning patch which can also scan the native stack, eliminating the need for reserve lists.

To reproduce a little more directly, run this in js/src/trace-tests: ../debug/js -j -e const\ platform='darwin';\ const\ libdir='/Users/jruderman/tracemonkey/js/src/trace-test/lib/'; -f /Users/jruderman/tracemonkey/js/src/trace-test/lib/prolog.js -f /Users/jruderman/tracemonkey/js/src/trace-test/tests/basic/putargsReturn.js

Based on comment 1, marking as dependent on bug 516832.

is this still reproducible?

WFM on tracemonkey branch.