The following testcase crashes on TI revision 23a746dac370 (run with -m -n -a), tested on 64 bit: var DESCRIPTION; eval("DESCRIPTION += \"Non-character escapes in identifiers negative test.\";"); Backtrace: Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7fafc9376720 (LWP 6401)] 0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345 345 bool atomized = (d.lengthAndFlags & ATOM_MASK) == ATOM_FLAGS; (gdb) bt #0 0x000000000043ad42 in JSString::isAtom (this=0x0) at ./jsstr.h:345 #1 0x00000000005b6046 in js_ConcatStrings (cx=0x1409db0, left=0x0, right=0x7fafc7d10400) at jsstr.cpp:337 #2 0x0000000000796ccd in js::mjit::stubs::Add (f=@0x7fff6fb0df30) at ./methodjit/StubCalls.cpp:1181 #3 0x00007fafc91d72ab in ?? () #4 0x00007fafc91d7210 in ?? () #5 0x0000000001470f80 in ?? () #6 0x00007fff6fb0e470 in ?? () #7 0x0000000000000000 in ?? ()

For GETGNAME/CALLGNAME ops, didn't record dependencies on the pushed type correctly, so that if it became undefined due to reading a hole we didn't trigger recompilation (JM only looked at the type of the global property itself, which doesn't account for reading holes in the global). http://hg.mozilla.org/projects/jaegermonkey/rev/a4131835b866

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/recompile/bug649261.js.