gczeal(9, 2) for (a = 0; a < 4; ++a) { b = evaluate("/x/g"); } causes an invalid read of size 1 and invalid write of size 1 error on js opt shell on m-c changeset 7065b767f30d with -n using Valgrind, turning s-s because of this.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 99950:e080642175e6 user: Benjamin Peterson date: Fri Jul 20 20:17:38 2012 +0200 summary: Bug 761723 - Save script sources to implement Function.prototype.toString. r=jorendorff,njn,jimb,jst,Ms2ger During reduction, this testcase has also been known to crash with malloc errors.

I can't reproduce on Linux 64-bit. Also, what does "crash with malloc errors" mean?

(In reply to Benjamin Peterson from comment #2) > I can't reproduce on Linux 64-bit. > > Also, what does "crash with malloc errors" mean? My opt shell is compiled with --enable-gczeal, --enable-profiling, --enable-debug-symbols, --enable-more-deterministic and --enable-valgrind among others - could you pls retry? Mac OS X has a special abort mode for binaries in which it says that there was a malloc error, unfortunately I've lost the exact error message. A similar error message can be found here: bug 736609 comment 0

--enable-more-determinism seems to do the trick.

This bug throws up a lot of weird duplicate errors.

And backedout for bustage: https://hg.mozilla.org/integration/mozilla-inbound/rev/c394a354eef7

Backed out again: https://hg.mozilla.org/integration/mozilla-inbound/rev/a04448be734a

Try using the Try Server first: https://wiki.mozilla.org/ReleaseEngineering/TryServer

A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.