The following testcase crashes on mozilla-central revision 553a3bcf1fe7 (run with --ion-eager): var lfcode = new Array(); lfcode.push("3"); lfcode.push("with(evalcx('')) this.__defineGetter__('x', Function);"); lfcode.push("gczeal(2)"); lfcode.push("4"); lfcode.push("\ var log = '';\ for (var { m } = i = 0 ; ; i++) {\ log += x; \ if (x === 6)\ a.slow = true; if (i > 1000) break;\ }\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file) } function loadFile(lfVarx) { if (!isNaN(lfVarx)) { lfRunTypeId = parseInt(lfVarx); } else { switch (lfRunTypeId) { case 3: function newFunc(x) { new Function(x)(); }; newFunc(lfVarx); break; case 4: eval("(function() { " + lfVarx + " })();"); break; } } }

Looks like a null-deref: ==15189== Invalid read of size 8 ==15189== at 0x40653A: JSString::isAtom() const (String.h:375) ==15189== by 0x6F7575: js_ConcatStrings(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>) (String.cpp:302) ==15189== by 0x52F4EF: js::AddOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Value const&, JS::Value const&, JS::Value*) (jsinterpinlines.h:570) ==15189== by 0x5424FA: js::AddValues(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Value*) (jsinterp.cpp:3965) ==15189== by 0x4029CC4: ??? ==15189== by 0x896E8C: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1526) ==15189== by 0x8972B0: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1598) ==15189== by 0x5366EA: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1421) ==15189== by 0x5326FB: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:346) ==15189== by 0x533686: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:535) ==15189== by 0x7782D1: EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) (Eval.cpp:286) ==15189== by 0x7786BB: js::DirectEval(JSContext*, JS::CallArgs const&) (Eval.cpp:337) ==15189== Address 0x0 is not stack'd, malloc'd or (recently) free'd Marking s-s anyway because it contains gczeal(2).

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 114661:0952f7c80055 user: Brian Hackett date: Fri Nov 30 15:59:52 2012 -0700 summary: Add analysis to eliminate dead resume point operands, bug 814997. r=dvander This iteration took 66.547 seconds to run.

Ccing Brian based on comment 2. Brian, can you take a look and also suggest a security rating? Thanks!

Argh, thought I'd handled this case in bug 814997 but apparently not. If a definition is used in a phi in that same block, then it is live throughout the containing loop and can't be eliminated from resume point operands.

NULL deref, doesn't affect branches, not s-s.

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug820873.js.