The following testcase asserts on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager): function startTest() {} function writeHeaderToLog( string ) { print( string ); } this.watch("x", function() { }); evaluate('\ var SECTION = "12.6.3-3";\ var VERSION = "ECMA_1";\ startTest();\ var TITLE = "The for..in statement";\ writeHeaderToLog( ++ TITLE );\ var o = {};\ var result = "";\ for ( (TITLE).a in [1,2,3] ) { result += String( [(0),2,3][o.a] ); }\ ',{ noScriptRval: true });

Please note that you need the patch from bug 765302 for this test to work (the noScriptRval option to evaluate was previously not supported). Alternatively, you can replace the evaluate by a load("tmp.js") and put the evaluated code into tmp.js. Crash Info (opt build): Program received signal SIGSEGV, Segmentation fault. 0xdeadbeee in ?? () (gdb) bt #0 0xdeadbeee in ?? () #1 0x002af658 in iterator_methods () #2 0x002af658 in iterator_methods () Backtrace stopped: previous frame identical to this frame (corrupt stack?)

I just imported that patch, and rebuilt and didn't see any crashes. Does this still reproduce for you? (does the unreduced testcase still crash?)

Christian: are you still seeing this crash?

(In reply to Daniel Veditz [:dveditz] from comment #3) > Christian: are you still seeing this crash? Marty told me on IRC that he reproduced this and is working on it :)

Just fyi, the bug doesn't reproduce for me on tip. Marty, are you still working on this or should we close WFM?

mjrosenb mentions that we should close this WFM.

Was never on central and the test is probably not reliable, marking in-testsuite-.