The following testcase asserts on mozilla-central revision c63d5cff18ba (run with --ion-eager): function TestCase(n, d, e, a) {} function reportCompare () { var testcase = new TestCase(); } reportCompare(); schedulegc(10); this.TestCase=Number; reportCompare(4294967295.5);

Valgrind trace from opt-build: ==16299== Invalid read of size 8 ==16299== at 0x4A06E3: AnalyzeNewScriptProperties(JSContext*, js::types::TypeObject*, JSFunction*, JS::MutableHandle<JSObject*>, js::Vector<js::types::TypeNewScript::Initializer, 0ul, js::TempAllocPolicy>*) (jsinferinlines.h:1740) ==16299== by 0x4A0ABA: CheckNewScriptProperties(JSContext*, JS::Handle<js::types::TypeObject*>, JSFunction*) (jsinfer.cpp:4964) ==16299== by 0x4A146D: JSCompartment::getNewType(JSContext*, js::TaggedProto, JSFunction*, bool) (jsinfer.cpp:5888) ==16299== by 0x4A1539: JSObject::getNewType(JSContext*, JSFunction*, bool) (jsinfer.cpp:5914) ==16299== by 0x4DC3B0: js_CreateThisForFunctionWithProto(JSContext*, JS::Handle<JSObject*>, JSObject*) (jsobj.cpp:2359) ==16299== by 0x4029721: ??? ==16299== by 0x6ECCA5: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1515) ==16299== by 0x4B3FDE: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2366) ==16299== by 0x4B447A: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:326) ==16299== by 0x4B554A: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:515) ==16299== by 0x422F34: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5565) ==16299== by 0x40F397: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:579) ==16299== Address 0xecc149028948fff8 is not stack'd, malloc'd or (recently) free'd Looks bad, marking sec-critical.

This looks like an IonMonkey bug to me, probably having to do with invalidation. We call reportCompare twice. The first time through, the |new TestCase()| bit is calling a scripted constructor. The second time, it's calling a native constructor. But somehow Ion seems to be invoking the scripted path in both cases.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 85471409cbfb). JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: 114283:5158d648702e user: Hannes Verschore date: Tue Nov 27 22:03:37 2012 +0100 summary: Bug 813773: Enable IM to IM fastpath for constructing calls, r=nbp,sstangl changeset: 114284:7e5deb571bbe user: Geoff Brown date: Tue Nov 27 14:05:18 2012 -0700 summary: Bug 814496 - sutAgent: Stop RedirOutputThread when timeout exceeded; r=wlach This iteration took 0.214 seconds to run.

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 114452:6b4e13b0d1e4 user: Hubert Figuière date: Wed Nov 28 23:00:56 2012 -0500 summary: Bug 816378 - Backout 5158d648702e (Bug 813773). a=bustage,Waldo This iteration took 75.334 seconds to run.

Naveed do you know if Hannes' changeset in comment 4 might re-land or is this bug likely closeable?

Hannes, sounds like bug 813773 is likely for blame - could you take a look?

Oh cool! That's probably a reduced testcase of the gmail crashes we had! Eventually I wanted to reland bug 813773, but didn't found the time yet to seek what the real problem with it was. This is now really simple, thanks :D

This problem is actually solved by backing out that changeset. I'll put this on WFM and create a better fix in the main bug 813773

"FIXED" is better -- you did make a change that made this problem go away and it might come back if that fix is undone. I'm assuming you'll land the testcase as part of the re-jiggered bug 813773; when you do please change the in-testsuite? flag to '+' here so we don't try to land duplicate regression tests for it in the future

JSBugMon: This bug has been automatically verified fixed.

Thanks for the explanation, Daniel. I intended to land the testcase in bug 819299, but I forgot :(. Therefore I've now added it. https://hg.mozilla.org/integration/mozilla-inbound/rev/ba667d2eeaba