The following test crashes on mozilla-central revision 41f75cbb91f2 with the patch of bug 708228 already applied (options -m -n -a): var SECT_PREFIX = 'Section '; var SECT_SUFFIX = ' of test - '; function inSection(x) { return SECT_PREFIX + x + SECT_SUFFIX; } var lfcode = new Array(); lfcode.push("gczeal(4); gczeal(0);"); lfcode.push("\ (function() {\ function Pattern(template) {}\ Pattern.prototype = {\ };\ function MatchError(msg) {};\ function isAtom(x) {}\ function isObject(x) {}\ function isArrayLike(x) {}\ function matchAtom(act, exp) {}\ for (var key in exp) {}\ function matchArray(act, exp) {\ match(act[i], exp[i]);\ }\ function match(act, exp) {\ };\ })();\ "); lfcode.push("status = inSection(12);"); lfcode.push("\ var a = [0,1,2,3,(/[\\u006d]/g ),5,6,7,8,9,10];\ while (status) var l, a = [];\ "); while (true) { var file = lfcode.shift(); if (file == undefined) { break; } loadFile(file); } function loadFile(lfVarx) { try { evaluate(lfVarx); } catch (lfVare) { } } The recursion cycle looks like this: #3481 0x0000000000657c68 in regexp_trace (trc=0xb2e288, obj=0x7ffff6010d00) at /srv/repos/mozilla-central/js/src/vm/RegExpObject.cpp:370 #3482 0x0000000000443c44 in JSObject::privateWriteBarrierPre (this=0x7ffff6010d00, old=0x7ffff6010d58) at ../jsobjinlines.h:2115 #3483 0x00000000004430c1 in JSObject::setPrivate (this=0x7ffff6010d00, data=0x0) at ../jsobjinlines.h:113 #3484 0x000000000065962d in js::RegExpObject::setPrivate (this=0x7ffff6010d00, rep=0x0) at ../vm/RegExpObject-inl.h:119 #3485 0x000000000065967b in js::RegExpObject::purge (this=0x7ffff6010d00, cx=0xb265c0) at ../vm/RegExpObject-inl.h:157
Created attachment 582031 [details] [diff] [review] patch The write barrier was triggering during the delayed marking call, which shouldn't be happening. I just moved the assignment of needsBarrier up, which means that the barrier won't trigger.
https://hg.mozilla.org/integration/mozilla-inbound/rev/2829d8482c67
https://hg.mozilla.org/mozilla-central/rev/2829d8482c67
or
