The attached testcase crashes on ionmonkey revision 1fd6c40d3852 (run with --ion -n).

Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x08385504 in js::ion::IonCommonFrameLayout::returnAddress (this=0x1fffab80) at ../ion/shared/IonFrames-x86-shared.h:76 76 return returnAddress_; (gdb) bt #0 0x08385504 in js::ion::IonCommonFrameLayout::returnAddress (this=0x1fffab80) at ../ion/shared/IonFrames-x86-shared.h:76 #1 0x0838552d in js::ion::IonFrameIterator::returnAddress (this=0xffffa930) at ../ion/IonFrames.h:386 #2 0x08384082 in InvalidateActivation (cx=0x86e0d98, ionTop=0xffffab88 "x\253\377\377\207\377\377\377\310\363\234\367\310\363\234\367\370\243o\b\212LA", invalidateAll=false) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1025 #3 0x08384440 in js::ion::Invalidate (cx=0x86e0d98, invalid=..., resetUses=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Ion.cpp:1116 #4 0x0811b5da in js::types::TypeCompartment::processPendingRecompiles (this=0x86e15dc, cx=0x86e0d98) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:2148 #5 0x080a5353 in js::types::AutoEnterTypeInference::~AutoEnterTypeInference (this=0xffffaa64, __in_chrg=<value optimized out>) at ../jsinferinlines.h:235 #6 0x081248ed in js::types::TypeMonitorResult (cx=0x86e0d98, script=0xf7706da0, pc=0x86ee65e "5", rval=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsinfer.cpp:5170 #7 0x081542f9 in js::types::TypeScript::Monitor (cx=0x86e0d98, script=0xf7706da0, pc=0x86ee65e "5", rval=...) at ../jsinferinlines.h:575 #8 0x0845d51e in js::ion::InvalidationBailout (sp=0xffffab38, frameSizeOut=0xffffab34) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/Bailouts.cpp:461 #9 0x004143ca in ?? ()

Doesn't crash on revision 5c7806169494 anymore.