The following testcase crashes on ionmonkey-arm (private branch) revision (run with --ion -n -m --ion-eager): try { for ( p in this ) {} for ( i = 0; i < GLOBAL_PROPERTIES .length; i++ ) { } } catch(exc1) {} function f(N) { for (var i = 0; i != N; ++i) { var obj0 = {}, obj1 = {}, obj2 = {}; obj2['b'+i] = 0; var count = 0; for (var k in obj2) { if (i == Math.floor(N/3) || i == Math.floor(2*N/3)) gc(); switch (count) { case 0: expected='b'+i; break; } for (var l in obj0) ++count; } } } var array = [function() { f(10); }, ]; array[i]();

Crash info: Program received signal SIGSEGV, Segmentation fault. 0xffff8010 in ?? () (gdb) bt #0 0xffff8010 in ?? () #1 0x00068c14 in JS::Root<js::PropertyName*>::~Root (this=Cannot access memory at address 0xe ) at /home/decoder/ionmonkey-arm/js/src/gc/Root.h:188 Backtrace stopped: previous frame inner to this frame (corrupt stack?) (gdb) x /i $pc => 0xffff8010: Cannot access memory at address 0xf

I'll set tracking for 17 on this since I believe that's what we're aiming to land IonMonkey in.

Thanks for triage David, does the [ion:p1:fx18] imply we aren't landing IM in 17 or keep the plan to land in 17 and wontfix until 18?

(In reply to David Bolter [:davidb] Away July30-Aug3 from comment #3) > Thanks for triage David, does the [ion:p1:fx18] imply we aren't landing IM > in 17 or keep the plan to land in 17 and wontfix until 18? Right - we've decided not to land in 17, and are aiming for 18.

The original revision here is missing and it does not reproduce on tip for me. Closing as WFM.

Private branch only, marking in-testsuite-.