Function("\ for each(y in[0,0,0]) {\ for(x in[0,0,0,0,0,0,0,0,0,new Boolean(true),0,0,0,new Boolean(true)]) {}\ }\ ")() With moo tip changeset 60c111fc0d4b, the testcase crashes js debug and opt shell at js::mjit::JaegerShot with -m. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0x684d01ec 0x00641930 in ?? () (gdb) bt #0 0x00641930 in ?? () #1 0x001f056e in js::mjit::JaegerShot (cx=0x50a900) at ../methodjit/MethodJIT.cpp:638 #2 0x000b4536 in js::RunScript (cx=0x50a900, script=0x50de30, fun=0x0, scopeChain=0x701000) at jsinterp.cpp:459 #3 0x000b5a89 in js::Execute (cx=0x50a900, chain=0x701000, script=0x50de30, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:923 #4 0x000171aa in JS_ExecuteScript (cx=0x50a900, obj=0x701000, script=0x50de30, rval=0xbffff680) at ../jsapi.cpp:4637 #5 0x0000bfa2 in Process (cx=0x50a900, obj=0x701000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:533 #6 0x0000c9a7 in ProcessArgs (cx=0x50a900, obj=0x701000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:860 #7 0x0000cac0 in shell (cx=0x50a900, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5038 #8 0x0000cbe4 in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5129 (gdb) x/i $eip 0x641930: movl $0xffffffbe,0x674d00cc(%ebx)

http://hg.mozilla.org/users/danderson_mozilla.com/moo/rev/c5defad7814f Similar deal to bug 577705

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug577996.js.