The following test crashes on mozilla-central revision 322354df233d (options -m -n -a), armv7-a arch only (I am not sure if this is an ARM issue or if it's due to the memory restrictions of the ARM board): const MAX = 10000; var str = ""; for (var i = 0; i < MAX; ++i) { /x/.test(str); str += str + 'xxxxxxxxxxxxxx'; } Backtrace of crash: Program received signal SIGSEGV, Segmentation fault. 0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329 329 return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS; (gdb) bt #0 0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329 #1 0x00042fbc in JSLinearString::chars (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:457 #2 0x0020a194 in ExecuteRegExp (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, argc=1, vp=0x4048e058) at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:538 #3 0x0020a3cc in js::regexp_test (cx=0x4a2b38, argc=1, vp=0x4048e058) at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:590 #4 0x000f0dba in js::CallJSNative (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:297 #5 0x00300c00 in CallCompiler::generateNativeStub (this=0xbedd6300) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:939 #6 0x002fcdd6 in js::mjit::ic::NativeCall (f=..., ic=0x4a7c98) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1173 #7 0x0028966e in JaegerStubVeneer () at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:164 #8 0x4089165c in ?? () I think this could be an allocation failing due to oom where the allocating function returns NULL instead and the error is not checked, leading to a null-deref (not security relevant in that case).

Untested but should fix this.

Try run for 5a1614379c50 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=5a1614379c50 Results (out of 19 total builds): success: 14 warnings: 5 Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-5a1614379c50

Not sure how to test, but didn't crash on Android test run.

Backed out along with bug 430927 because of test failures on inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/04505e53439e This patch can re-land if it is not responsible for the test failures.

Try run for 57e8ba5a8d21 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=57e8ba5a8d21 Results (out of 18 total builds): exception: 16 failure: 2 Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-57e8ba5a8d21

Try run for a45235903f82 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=a45235903f82 Results (out of 88 total builds): exception: 41 success: 5 warnings: 3 failure: 39 Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-a45235903f82

Try run for 2d87fa073ff9 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=2d87fa073ff9 Results (out of 193 total builds): success: 184 warnings: 9 Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-2d87fa073ff9

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug698584.js.