The following testcase asserts on mozilla-central revision 19fd3388c372 (run with --fuzzing-safe --ion-eager --ion-eager --ion-check-range-analysis): oomAfterAllocations(1); var uint32 = TypedObject.uint32;
Created attachment 823972 [details] [crash-signature] Machine-readable crash signature
Created attachment 827516 [details] [diff] [review] missing_check_in_InitTypedObjectClass-v0.diff Trivial. Not really worth the overhead of a test here.
Created attachment 827703 [details] [crash-signature] Machine-readable crash signature
Tested with the 11/01 and 02/04 Firefox 28 JS shells on Ubuntu 13.04 x86. I got the same results with both shells (although the 11/01 one is supposed to reproduce the assertion): "out of memory out of memory".