The following testcase crashes on mozilla-central revision b11065872128 (run with --ion-eager): var appendToActual = function(s) { actual += s + ','; } gczeal(2,(3)); actual = ''; function loop(f) {} function f(j, k) { var g = function(a, b, c) {} for (k = 0; k < 5; ++k) appendToActual(loop(g)); } f(1);

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115546:8275b86c0b62 user: Brian Hackett date: Mon Dec 10 12:02:31 2012 -0700 summary: Remove bytecode uses analysis, keep track of SSA values that were folded away when building MIR, bug 818869. r=jandem This iteration took 0.316 seconds to run.

Brian, can you take a look at this per comment 1? Thanks :) Might be a dup to the other bug (bug 821794).

This isn't exactly the same as bug 821794, but the two are very similar. In both cases we were not marking operands of calls which were inlined as being folded, so that phis for the call or its this/arguments were being eliminated. Since inlining decisions vary between compilations and affect what values are live/dead, these can never be eliminated. This patch fixes the testcases in both bugs.

NULL deref, doesn't affect any branches, not s-s.

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug821788.js.