The following testcase crashes on mozilla-central revision c8c9bd74cc40 (run with --fuzzing-safe --ion-eager): function Test262Error(message) { if (message) this.message = message; }; function testFailed(message) { throw new Test262Error(message); } try { testFailed("x"); } catch(e) {} try { testFailed('x' + (3 >> 21)); } catch(e) {} evaluate("testFailed((new Array(0x1337)).length);", { noScriptRval : true });

Eric wanted me to file this as its own bug. It could be a dup of one of the others currently open regarding Array.length, but he isn't sure about it yet. Marking s-s and sec-high because this is obviously quite dangerous :)

Oh, look. I'm totally shocked to report the first bad revision is: changeset: 142449:42776e928f7b user: Eric Faust <efaustbmo@gmail.com> date: Sat Aug 10 22:20:36 2013 -0700 summary: Bug 902264 - Part 2: Expose Array.length optimization to idempotent GetPropertyICs. (r=jandem) http://www.reactiongifs.com/wp-content/uploads/2013/03/oh-boy.gif

JSBugMon: Cannot process bug: Error: Failed to compile specified revision c8c9bd74cc40 (maybe try another?)

Ion uses inaccurate TI to specialize the type of the |message| parameter to the error constructor to string, which then generates a specialized length check for the |if (message)|, which is not compatible with the actual value supplied, 0x1337. This is just a duplicate of the GC bug previously filed. Fix up for review there.