The following testcase crashes on mozilla-central revision 3acbf951b3b1 (run with --ion-eager): eval("(function() { " + "\ function f() {};\ function g() {\ f(0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,(05 ),8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,\ 0,1,2,3,4,5,6,(/\\u00ad/ ),8,9,0,1,2,3,4,5,6,7,8,9);\ }\ g();\ g();\ g();\ " + " })();");

Crash trace: Program received signal SIGSEGV, Segmentation fault. 0xf5bf68c4 in ?? () (gdb) bt #0 0xf5bf68c4 in ?? () #1 0xf5bf1250 in ?? () #2 0xf5bf1250 in ?? () Backtrace stopped: previous frame identical to this frame (corrupt stack?) (gdb) x /i $pc => 0xf5bf68c4: ldrne r12, [r12, -r12] (gdb) info reg r0 0xf5bf6898 -172005224 r1 0x1 1 r2 0xffffff82 -126 r3 0xf5f31128 -168619736 r4 0xf6fddb30 -151135440 r5 0x0 0 r6 0x0 0 r7 0xffffff82 -126 r8 0xc1 193 r9 0xf5d31160 -170716832 r10 0x0 0 r11 0xf5f31120 -168619744 r12 0xf6fdd4d8 -151137064 sp 0xf6fdd4cc 0xf6fdd4cc lr 0xf5bf1250 -172027312 pc 0xf5bf68c4 0xf5bf68c4 cpsr 0x20070010 537329680 (gdb)

ldr.?.? r12, [r12, -r12] is a single instruction conditional crash. If it is executed, it is guaranteed to load from 0, which will crash. I use it as a very short assertion (well, half the size of a standard branch + bkpt)

Christian, was this in a debug or opt build?

I verified this is fixed. Marty, did your fix have another bug number that we can dupe this to?

Marking WFM since it is fixed as per comment 4 (since 6 years ago), but the actual fix is unknown.