The following testcase asserts on ionmonkey revision 4ce3983a43f4 (run with --ion -n -m): function assertEq(setter) { if (setter > 10) return {assertEq: 3.3}; return {__proto__: assertEq(setter + 1)}; } function testX() { var x = 2; var local0 = x; return { local0: local0 }; } var resultsX = testX(); assertEq(resultsX.local0, 2); gczeal(2); assertEq(new (Proxy.createFunction({}, function(){}, function(){})), undefined);

Crash trace: Program received signal SIGSEGV, Segmentation fault. 0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970 970 return arenaHeader()->compartment; (gdb) x /i $pc => 0x804ca51 <js::gc::Cell::compartment() const+17>: mov (%eax),%eax (gdb) info reg eax eax 0x0 0 (gdb) bt #0 0x0804ca51 in js::gc::Cell::compartment (this=0x0) at ../../gc/Heap.h:970 #1 0x08337013 in js::gc::CheckMarkedThing<JSObject> (trc=0x87aae28, thing=0x0) at js/src/gc/Marking.cpp:86 #2 0x083358b4 in js::gc::MarkInternal<JSObject> (trc=0x87aae28, thingp=0xfffe01d0) at js/src/gc/Marking.cpp:108 #3 0x08333ee3 in js::gc::MarkRoot<JSObject> (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:154 #4 0x0832fa0b in js::gc::MarkObjectRoot (trc=0x87aae28, thingp=0xfffe01d0, name=0x85c2794 "ion-vm-args") at js/src/gc/Marking.cpp:213 #5 0x08445f88 in MarkIonExitFrame (trc=0x87aae28, frame=...) at js/src/ion/IonFrames.cpp:497 #6 0x084460aa in MarkIonActivation (trc=0x87aae28, activations=...) at js/src/ion/IonFrames.cpp:530 #7 0x08446178 in js::ion::MarkIonActivations (rt=0x87aacb8, trc=0x87aae28) at js/src/ion/IonFrames.cpp:557 #8 0x0810886c in js::MarkRuntime (trc=0x87aae28, useSavedRoots=false) at js/src/jsgc.cpp:2348 #9 0x08109a7d in BeginMarkPhase (rt=0x87aacb8) at js/src/jsgc.cpp:3003 #10 0x0810adfe in NonIncrementalMark (rt=0x87aacb8, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3306 #11 0x0810be60 in GCCycle (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL) at js/src/jsgc.cpp:3660 #12 0x0810c37f in Collect (rt=0x87aacb8, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3769 #13 0x0810c514 in js::GC (rt=0x87aacb8, gckind=js::GC_NORMAL, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:3793 #14 0x081066b5 in js::gc::RunLastDitchGC (cx=0x87cf570, reason=js::gcreason::DEBUG_GC) at js/src/jsgc.cpp:1668 #15 0x0810d133 in js::gc::RunDebugGC (cx=0x87cf570) at js/src/jsgc.cpp:4012 #16 0x080b1501 in js::gc::NewGCThing<JSObject> (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4, thingSize=48) at ../jsgcinlines.h:413 #17 0x080a032e in js_NewGCObject (cx=0x87cf570, kind=js::gc::FINALIZE_OBJECT4) at ../jsgcinlines.h:459 #18 0x080a077b in js::NewObjectCache::newObjectFromHit (this=0x87bf750, cx=0x87cf570, entry_=11) at ../jscntxtinlines.h:125 #19 0x08189114 in js::NewObjectWithClassProto (cx=0x87cf570, clasp=0x87815c0, proto=0x0, parent=0xf7703040, kind=js::gc::FINALIZE_OBJECT4) at js/src/jsobj.cpp:2824 #20 0x080a3509 in js::NewBuiltinClassInstance (cx=0x87cf570, clasp=0x87815c0, kind=js::gc::FINALIZE_OBJECT4) at ../jsobjinlines.h:1445 #21 0x0849b384 in js::ion::NewInitObject (cx=0x87cf570, baseObj=..., type=0xf7700160) at js/src/ion/VMFunctions.cpp:239 #22 0x0041434a in ?? () Could be a null-deref only, but making this s-s until confirmed as the crash is GC-related.

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/2e891e0db397