The following testcase crashes on ionmonkey revision 71b71dcbf9fe (run with --ion -n): gcPreserveCode(); (function () { for (var q = 0; q < 6; +q) { x: (function () { var m = (function (parent) {})() })([0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, , 0, 0, 0, 0, 0, 0, Number((1))]) } })()

Crash trace: ==22993== Invalid read of size 8 ==22993== at 0x406350: js::Shape::getObjectClass() const (jsscope.h:605) ==22993== by 0x40771B: js::ObjectImpl::getClass() const (ObjectImpl-inl.h:245) ==22993== by 0x51B415: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jsinterp.cpp:310) ==22993== by 0x45E84F: js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (jsinterp.h:100) ==22993== by 0x51B8B1: js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (jsinterp.cpp:373) ==22993== by 0x8ACB0C: js::ion::InvokeFunction(JSContext*, JSFunction*, unsigned int, JS::Value*, JS::Value*) (VMFunctions.cpp:65) ==22993== by 0x40347AF: ??? ==22993== by 0x10403469F: ??? ==22993== by 0x7FEFFE497: ??? ==22993== by 0xF: ??? ==22993== by 0xDE47DF: ??? ==22993== by 0xDE47BF: ??? ==22993== Address 0xdadadadadadadada is not stack'd, malloc'd or (recently) free'd Likely responsible for quite a few signatures I've been picking up recently, marking as fuzzblocker.

A testcase for this bug was already added in the original bug (bug 763989).