x = Math.tan(this) Function("\ for each(let a in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]) {\ for each(l in[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,x,0,0,0,0,0,0,0,0,x]) {\ function aaaaa(){}\ aaaaa()\ }\ }\ ")() crashes js debug and opt shell on Mac 32-bit on JM changeset 6347cf00d3ab with -m at a weird memory address near js::mjit::JaegerShot. Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_INVALID_ADDRESS at address: 0xd7c91f6c 0x004c9eeb in ?? () (gdb) bt #0 0x004c9eeb in ?? () #1 0x001f642b in js::mjit::JaegerShot (cx=0x50a900) at ../methodjit/MethodJIT.cpp:696 #2 0x000b993b in js::RunScript (cx=0x50a900, script=0x50dbb0, fun=0x0, scopeChain=0x702000) at jsinterp.cpp:466 #3 0x000bae9c in js::Execute (cx=0x50a900, chain=0x702000, script=0x50dbb0, down=0x0, flags=0, result=0xbffff680) at jsinterp.cpp:954 #4 0x00017d30 in JS_ExecuteScript (cx=0x50a900, obj=0x702000, script=0x50dbb0, rval=0xbffff680) at ../jsapi.cpp:4737 #5 0x0000cc5a in Process (cx=0x50a900, obj=0x702000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:534 #6 0x0000d65f in ProcessArgs (cx=0x50a900, obj=0x702000, argv=0xbffff84c, argc=1) at ../../shell/js.cpp:861 #7 0x0000d778 in shell (cx=0x50a900, argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5010 #8 0x0000d89c in main (argc=1, argv=0xbffff84c, envp=0xbffff854) at ../../shell/js.cpp:5106 (gdb) x/i $eip 0x4c9eeb: movl $0xffff00ff,-0x2936e1c4(%ebx)

This occurs on Linux 32-bit as well.

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug584644-2.js.