The following testcase asserts on mozilla-central revision e069342dc665 (run with --ion-eager): var gTestcases = new Array(); var gTc = gTestcases.length; function TestCase(n, d, e, a) { gTestcases[gTc++] = this; } gcparam("maxBytes", gcparam("gcBytes") + 1024); var j = 0; for ( k = 0, i = 0x0020; i < 0x007e; i++, j++, k++ ) { new TestCase(); }

This still reproduces and I suspect it covers other bugs with the same assertion. Marking as fuzzblocker to get it fixed more quickly.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 106052:8a2010ae3d08 user: Sean Stangl date: Tue Mar 27 12:20:22 2012 -0700 summary: Bug 735400 - Optimize JSOP_FUNCALL. r=dvander This iteration took 83.662 seconds to run.

Not sure if this is the right changeset because sometimes OOM bugs tend to just reproduce because of unrelated changes, but worth a try.

(In reply to Christian Holler (:decoder) from comment #3) > Not sure if this is the right changeset because sometimes OOM bugs tend to > just reproduce because of unrelated changes, but worth a try. I'm not able to reproduce the crash (x86_64 with --ion-eager). Is it still occurring?

autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 117020:88a218a4b5bf user: Jan de Mooij date: Tue Dec 25 16:12:59 2012 +0100 summary: Bug 764310 part 2 - Implement JSOP_DEFFUN in IonMonkey. r=bhackett Sean / jandem, do you think bug 764310 possibly fixed this?

(In reply to Gary Kwong [:gkw] from comment #5) > autoBisect shows this is probably related to the following changeset: > > The first good revision is: > changeset: 117020:88a218a4b5bf > user: Jan de Mooij > date: Tue Dec 25 16:12:59 2012 +0100 > summary: Bug 764310 part 2 - Implement JSOP_DEFFUN in IonMonkey. > r=bhackett > > Sean / jandem, do you think bug 764310 possibly fixed this? I checked out the revision. Note that the assertion reproduces with --no-ion --no-jm. The "first bad" patch from Comment 2 only makes changes to Ion code, so it is unlikely that it is related. Although Bug 764310 makes changes to the interpreter, it's also unlikely that it fixes anything.

autoBisect seems to point at a merge landing, when running the testcase with --no-ion --no-jm. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 106276:adcd5d3c984e parent: 106275:2062cc1c4b06 parent: 95823:cf4face65451 user: Sean Stangl date: Tue Jun 05 16:54:36 2012 -0700 summary: Merge m-c to Ionmonkey. Not all ancestors of this changeset have been checked. Use bisect --extend to continue the bisection from the common ancestor, fe758ebc1707. This iteration took 1.390 seconds to run. Oops! We didn't test rev cf4face65451, a parent of the blamed revision! Let's do that now. Rev cf4face65451: Found cached shell... Testing... good (Unknown exit code 1, but not the specified one) As expected, the parent's label is the opposite of the blamed rev's label. Related to bug 822223?

s-s first because possibly-related bug 822223 is s-s.

JSBugMon: Cannot process bug: Unknown exception (check manually)

In case the original test doesn't reproduce for you, this one reproduces on 64 bit debug builds (8cc32d6fa707): gcparam("maxBytes", gcparam("gcBytes") + 1024); test(); function test() { function f(i) { for (var n = 0; n < 100; (new f()).m()); } actual = f(1) }

JSBugMon: Cannot process bug: Unknown exception (check manually)

Based on Bug 840012 Comment 4, this is most likely the same issue as Bug 840012.

JSBugMon: Cannot process bug: Unknown exception (check manually)

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 25c2aaee8acc).

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 25c2aaee8acc). JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 129087:64198b55d1ae user: Luke Wagner date: Wed Apr 17 08:50:54 2013 -0700 summary: Bug 840012 - Handle OOM in CreateThisForFunction (r=hannes) This iteration took 141.646 seconds to run.

Likely a dup of bug 840012.