The following testcase crashes on mozilla-central revision 26ab72bfa9df (run with --ion-eager): var p = Proxy.create({ has : function(id) {} }); Object.prototype.__proto__ = p; test(); function test() { var start = 0; var stop = 0; var resolution = 5; while (stop - start == 0) { start = Date.now(); stop = Date.now(); } actual = (stop - start <= resolution); actual; } test(); actual = ''; test(); for (var i = 0; actual ;-i) {}

The crash itself looks harmless: Program received signal SIGSEGV, Segmentation fault. js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:194 194 return v.toString()->length() != 0; #0 js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:194 #1 0x0000000000847e60 in ToBoolean (v=...) at ../jsapi.h:1550 #2 js::ion::DoToBoolFallback (cx=0x19487b0, frame=0x7fffffffd408, stub=0x195a0a0, arg=$jsval(<error reading variable: Cannot access memory at address 0x7fff00000001>), ret=...) at js/src/ion/BaselineIC.cpp:2068 #3 0x00007ffff7f994da in ?? () [...] rax 0x1 140733193388033 => 0x477d05 <js::ToBooleanSlow(JS::Value const&)+213>: mov (%rax),%rax 0x477d08 <js::ToBooleanSlow(JS::Value const&)+216>: shr $0x4,%rax However, before reducing, this test asserted instead with Assertion failure: (ptrBits & 0x7) == 0, at ./dist/include/js/Value.h:734 and in an opt-build I got this instead: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at gc/Verifier.cpp:614 Both seem to indicate a GC problem, so I'm going to assume that this is s-s. Please let me know if the bug reproduced by this test and the assertions are connected. If not, then I will try to produce a second testcase reproducing the ptrBits assertion.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 129595:a8d0317c24c1 user: Brian Hackett date: Sun Apr 14 06:40:58 2013 -0600 summary: Bug 861419 - Consider values in prototype when reading global names during Ion compilation. This iteration took 11.935 seconds to run.

Brian, can you take a look based on comment 3? Thanks.

Conservatively marking this high based on the assertion failures from comment 1.

WFM on tip, can you still reproduce? The blame is almost certainly wrong, that bug is pretty innocuous.

JSBugMon: This bug has been automatically confirmed to be still valid (reproduced on revision 8eebe35aae63).

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 4c4dec8506ab).

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/7ecbdd658637 user: Shu-yu Guo date: Mon Jun 10 12:10:13 2013 -0700 summary: Bug 879723 - Make sure property types reflect inherited types from the prototype when specializing a setgname. (r=bhackett) This iteration took 10.762 seconds to run.

Shu, is the bug in comment 9 likely the fix for this bug?

(In reply to Christian Holler (:decoder) from comment #10) > Shu, is the bug in comment 9 likely the fix for this bug? Can't say for sure, but likely, since the fuzz test case futzes with the proto chain.