The attached testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager).

Crash trace: ==8119== Invalid write of size 4 ==8119== at 0x810F8F3: JSObject::updateSlotsForSpan(JSContext*, unsigned int, unsigned int) (Barrier-inl.h:257) ==8119== by 0x810FBC7: JSObject::allocSlot(JSContext*, unsigned int*) (jsobj.cpp:3859) ==8119== by 0x81585DC: JSObject::getChildProperty(JSContext*, js::Shape*, js::StackShape&) (jsscope.cpp:355) ==8119== by 0x815D24A: JSObject::addPropertyInternal(JSContext*, int, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::Value*), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, int, JS::Value*), unsigned int, unsigned int, unsigned int, int, js::Shape**, bool) (jsscope.cpp:562) ==8119== by 0x815E1AF: JSObject::putProperty(JSContext*, int, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, JS::Value*), int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, int, JS::Value*), unsigned int, unsigned int, unsigned int, int) (jsscope.cpp:637) ==8119== by 0x8112486: js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<int>, unsigned int, JS::Value*, int) (jsobj.cpp:5356) ==8119== by 0x837CEB4: js::ion::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, bool, bool) (VMFunctions.cpp:313) ==8119== by 0x83437CA: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:612) ==8119== by 0x7B9288E: ??? ==8119== by 0x8322201: EnterIon(JSContext*, js::StackFrame*, void*) (Ion.cpp:1104) ==8119== by 0x80F2196: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2544) ==8119== by 0x80F320F: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:286) ==8119== Address 0x70 is not stack'd, malloc'd or (recently) free'd

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 3dc37e74fdf0).

Also a dup of bug 762936?