The following testcase crashes on ionmonkey revision a9a18824b4c1 (run with --ion -n -m --ion-eager): try { function f() { var obj = { p0:0, p1:1, p2:2, p3:3, p4:4, p5:5, p6:6, p7:7, p8:8, p9:9, p10:0, p11:1, set:2, p13:3, p14:4, p15:5, p16:6, p17:7, p18:8, p19:9, with : function() { return 42; } }; } actual = f(); } catch(exc1) {}

Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff6ef123d in malloc_consolidate () from /lib64/libc.so.6 (gdb) bt #0 0x00007ffff6ef123d in malloc_consolidate () from /lib64/libc.so.6 #1 0x00007ffff6ef41c2 in _int_malloc () from /lib64/libc.so.6 #2 0x00007ffff6ef55ed in malloc () from /lib64/libc.so.6 #3 0x000000000041456f in js_malloc (bytes=16384) at ../dist/include/js/Utility.h:173 #4 0x0000000000414696 in js::SystemAllocPolicy::malloc_ (this=0x7ffff7fdec58, bytes=16384) at ../../jsalloc.h:66 #5 0x000000000046d178 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::createTable (alloc=..., capacity=1024) at ./dist/include/js/HashTable.h:360 #6 0x000000000046d34f in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::changeTableSize (this=0x7ffff7fdec58, deltaLog2=-1) at ./dist/include/js/HashTable.h:581 #7 0x000000000046cbd0 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::checkUnderloaded (this=0x7ffff7fdec58) at ./dist/include/js/HashTable.h:659 #8 0x000000000046bce8 in js::detail::HashTable<js::AtomStateEntry const, js::HashSet<js::AtomStateEntry, js::AtomHasher, js::SystemAllocPolicy>::SetOps, js::SystemAllocPolicy>::Enum::~Enum (this=0x7fffffffd700, __in_chrg=<value optimized out>) at ./dist/include/js/HashTable.h:265 #9 0x000000000046a967 in js_SweepAtomState (rt=0x7ffff7fb6010) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsatom.cpp:291 #10 0x00000000004b6555 in SweepPhase (cx=0xd05d30, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3181 #11 0x00000000004b6f79 in MarkAndSweep (cx=0xd05d30, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3293 #12 0x00000000004b7feb in GCCycle (cx=0xd05d30, full=true, budget=0, gckind=js::GC_NORMAL) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3653 #13 0x00000000004b8431 in Collect (cx=0xd05d30, full=true, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_CONTEXT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3749 #14 0x00000000004b8600 in js::GC (cx=0xd05d30, full=true, gckind=js::GC_NORMAL, reason=js::gcreason::LAST_CONTEXT) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgc.cpp:3770 #15 0x0000000000478f39 in js_DestroyContext (cx=0xd05d30, mode=JSDCM_FORCE_GC) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jscntxt.cpp:281 #16 0x000000000043800d in JS_DestroyContext (cx=0xd05d30) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsapi.cpp:1165 #17 0x0000000000411bb0 in DestroyContext (cx=0xd05d30, withGC=true) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:4567 #18 0x0000000000413705 in main (argc=6, argv=0x7fffffffde38, envp=0x7fffffffde70) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/shell/js.cpp:5118

This seems to cause quite a lot of different signatures, would be nice if it could be fixed first. It's some kind of memory corruption.

I can't reproduce on Mac.

Comment on attachment 613163 [details] [diff] [review] InitProp: Fix dynamic slot index. Review of attachment 613163 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/ion/IonBuilder.cpp @@ +2866,5 @@ > > MSlots *slots = MSlots::New(obj); > current->add(slots); > > + MStoreSlot *store = MStoreSlot::New(slots, baseObj->dynamicSlotIndex(shape->slot()), value); Good catch. The isFixedSlot() case is handled above.

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397