The attached testcase crashes on ionmonkey revision e8de64e7e9fe (run with --ion -n -m).

Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x0804c61b in js::gc::ArenaHeader::allocated (this=0x7ff80000) at ../../gc/Heap.h:468 468 JS_ASSERT(allocKind <= size_t(FINALIZE_LIMIT)); Missing separate debuginfos, use: debuginfo-install libgcc-4.4.6-3.el6.i686 libstdc++-4.4.6-3.el6.i686 (gdb) bt 8 #0 0x0804c61b in js::gc::ArenaHeader::allocated (this=0x7ff80000) at ../../gc/Heap.h:468 #1 0x0804c67f in js::gc::ArenaHeader::getAllocKind (this=0x7ff80000) at ../../gc/Heap.h:498 #2 0x0806b183 in js::gc::Cell::getAllocKind (this=0x7ff80000) at ../gc/Heap.h:942 #3 0x080f0fcc in js::gc::GetGCThingTraceKind (thing=0x7ff80000) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/jsgcinlines.h:63 #4 0x08318a2f in js::gc::MarkGCThingRoot (trc=0x8780e08, thingp=0xffffbff0, name=0x85a1ddc "ion-gc-spill") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Marking.cpp:272 #5 0x0831961a in js::gc::MarkThingOrValueRoot (trc=0x8780e08, word=0xffffbff0, name=0x85a1ddc "ion-gc-spill") at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/gc/Marking.cpp:543 #6 0x08427577 in MarkIonJSFrame (trc=0x8780e08, frame=...) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:490 #7 0x08427851 in MarkIonActivation (trc=0x8780e08, top=0xffffbfc8 "\337}B", activation=0xffffc134) at /home/ownhero/homes/mozilla/repos/ionmonkey/js/src/ion/IonFrames.cpp:565 (More stack frames follow...) (gdb) x /i $pc => 0x804c61b <js::gc::ArenaHeader::allocated() const+21>: movzbl 0xc(%eax),%eax (gdb) info reg eax eax 0x7ff80000 2146959360

A testcase for this bug was already added in the original bug (bug 754718).