The following testcase crashes on ionmonkey revision 5cfb73435e06 (run with --ion -n -m --ion-eager): var summary = ''; var actual = ''; gcPreserveCode() function TestCase(n, d, e, a) { this.name=n; } function reportCompare (expected, actual, description) { new TestCase } reportCompare(true, eval++, "Function.prototype.isGenerator present"); var p = Proxy.create({ has : function(id) {} }); Object.prototype.__proto__ = p; new TestCase; var expect = ''; reportCompare(expect, actual, summary); gczeal(4); try { evalcx("."); } catch (e) {} reportCompare(expect, actual, summary);

Crash trace: ==24613== Invalid read of size 4 ==24613== at 0x81DBB98: js::Proxy::set(JSContext*, JSObject*, JSObject*, jsid, bool, JS::Value*) (jsproxy.cpp:1108) ==24613== by 0x81DCF59: proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Value*, int) (jsproxy.cpp:1338) ==24613== by 0x8198201: JSObject::nonNativeSetProperty(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobj.cpp:3083) ==24613== by 0x807284F: JSObject::setGeneric(JSContext*, JS::Handle<jsid>, JS::Value*, int) (jsobjinlines.h:93) ==24613== by 0x84CFCB7: js::ion::SetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, bool, bool) (VMFunctions.cpp:316) ==24613== by 0x847074A: js::ion::SetPropertyCache(JSContext*, unsigned int, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool) (IonCaches.cpp:612) ==24613== by 0x9CCBA95: ??? ==24613== Address 0xdadadada is not stack'd, malloc'd or (recently) free'd

Test added: https://hg.mozilla.org/integration/mozilla-inbound/rev/b52d521ba824