The following testcase crashes on mozilla-central revision b11065872128 (run with --ion-eager): gczeal(2); function bitsinbyte() { var [ summary ] = true; } function TimeFunc(func) { for(var y=0; y<11000; y++) func(); } TimeFunc(bitsinbyte);

Crashtrace: ==12281== Invalid read of size 8 ==12281== at 0x403E100: ??? ==12281== by 0x89A960: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1527) ==12281== by 0x89AD84: js::ion::SideCannon(JSContext*, js::StackFrame*, unsigned char*) (Ion.cpp:1599) ==12281== by 0x539641: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1428) ==12281== by 0x535645: js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) (jsinterp.cpp:346) ==12281== by 0x5365D0: js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) (jsinterp.cpp:535) ==12281== by 0x53682A: js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (jsinterp.cpp:573) ==12281== by 0x454C22: JS_ExecuteScript(JSContext*, JSObject*, JSScript*, JS::Value*) (jsapi.cpp:5571) ==12281== by 0x40A2F9: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:579) ==12281== by 0x416B07: ProcessArgs(JSContext*, JSObject*, js::cli::OptionParser*) (js.cpp:4913) ==12281== by 0x416CF7: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4950) ==12281== by 0x417692: main (js.cpp:5153) ==12281== Address 0x28 is not stack'd, malloc'd or (recently) free'd

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115546:8275b86c0b62 user: Brian Hackett date: Mon Dec 10 12:02:31 2012 -0700 summary: Remove bytecode uses analysis, keep track of SSA values that were folded away when building MIR, bug 818869. r=jandem This iteration took 0.345 seconds to run.

Brian, can you look at this per comment 2? Thanks :)

A testcase for this bug was automatically identified at js/src/jit-test/tests/ion/bug821794.js.