The following testcase crashes on mozilla-central revision 4e5983de6e3b (run with --ion-eager): function reportCompare () { new TestCase("x"); } var f = function ff() { var counter = function q() {} } function TestCase(n, d, e, a) { this.bugnumber = f(); gTestcases[gTc++] = this; } schedulegc(100); status = 'y'; try { test(); } catch(exc1) {} function test() { reportCompare(); } evaluate('var aaaaaa = "z"; var f = "x";'); var [ [ b ] ] = test();

Crash trace: Program received signal SIGSEGV, Segmentation fault. js::Invoke (cx=0x18779a0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:382 382 if (!clasp->call) #0 js::Invoke (cx=0x18779a0, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:382 #1 0x00000000004939f7 in js::Invoke (cx=0x18779a0, thisv=..., fval=..., argc=0, argv=0x7fffffffb6b8, rval=0x7fffffffb670) at js/src/vm/Interpreter.cpp:437 #2 0x000000000091d531 in js::ion::InvokeFunction (cx=0x18779a0, fun0=..., argc=0, argv=0x7fffffffb6b0, rval=<optimized out>) at js/src/ion/VMFunctions.cpp:78 #3 0x00007ffff67c83e5 in ?? () #4 0x0000000000000003 in ?? () #5 0x00007fffffffb670 in ?? () #6 0x0000000001859c90 in ?? () #7 0x000000000184dfa0 in js::ion::GetIntrinsicValueInfo () rax 0x78 -2676586398680612744 => 0x492f0f <js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct)+1119>: mov 0x58(%rax),%rsi S-s because this involves schedulegc.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/ce43d28276e4 user: Brian Hackett date: Fri Jun 14 05:58:28 2013 -0600 summary: Bug 678037 - Enable lazy JS parsing and fix various bugs, r=waldo,evilpie,nobody. This iteration took 304.273 seconds to run.

Needinfo from Brian based on comment 3 :)

Autobisect is wrong (schedulegc etc.), this is a regression from bug 870052. We don't add freeze constraints until the end of IonBuilder, so that IonBuilder can modify the observed type sets if it wants as it goes. The problem is that analyzeTypes will also modify these observed type sets, and can modify those for parts that IonBuilder has already traversed. analyzeTypes can be called during compilation if we need to regenerate the new script information, the attached patch fixes this behavior. (Though, really need to kill analyzeTypes entirely.)

Comment on attachment 764718 [details] [diff] [review] patch Review of attachment 764718 [details] [diff] [review]: ----------------------------------------------------------------- Since this only affects 24 it's probably fine to add the testcase.

Pushed without the testcase. I don't think tests which use schedulegc are robust enough to really be worth including in the test suite (similarly for tests that OOM after N allocations). https://hg.mozilla.org/integration/mozilla-inbound/rev/f822fe6c9708

JSBugMon: The testcase found in this bug no longer reproduces (tried revision b3cbafd5eb99).

JSBugMon: This bug has been automatically verified fixed.