The attached testcase crashes on ionmonkey-arm (private branch) revision 153a2db06024 (run with --ion -n -m --ion-eager).

The comment 0 branch spec is wrong, this is actually the regular ionmonkey repository. Before reduction this showed up as an unsupported relocation, but now it just crashes: Program received signal SIGSEGV, Segmentation fault. 0x0001988e in js::EncapsulatedPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:172 172 operator T*() const { return value; } (gdb) bt #0 0x0001988e in js::EncapsulatedPtr<JSObject, unsigned int>::operator JSObject* (this=0xdadadade) at ../../gc/Barrier.h:172 #1 0x00028b4c in js::ObjectImpl::hasSingletonType (this=0x40a0cb50) at ../vm/ObjectImpl.h:1067 #2 0x0005afa0 in js::types::Type::ObjectType (obj=0x40a0cb50) at ../jsinferinlines.h:34 #3 0x0005b046 in js::types::GetValueType (cx=0x104e0d0, val=...) at ../jsinferinlines.h:60 #4 0x000d8f54 in js::types::TypeMonitorResult (cx=0x104e0d0, script=0x40a060b0, pc=0x1057148 "\232", rval=...) at /home/decoder/ionmonkey-arm/js/src/jsinfer.cpp:5002 #5 0x000eb6e6 in js::types::TypeScript::Monitor (cx=0x104e0d0, script=0x40a060b0, pc=0x1057148 "\232", rval=...) at ../jsinferinlines.h:590 #6 0x003365e6 in js::ion::ReflowTypeInfo (bailoutResult=4) at /home/decoder/ionmonkey-arm/js/src/ion/Bailouts.cpp:478 #7 0x4005f734 in ?? () #8 0x4005f734 in ?? ()

The proper revision this was tested on is 9712a6f6b71c.

Sorry about not looking at this sooner, I think it was filed while I was out of the office. I just tried this on 9712a6f6b71c, but I did not see any crashing, It just prints out: ReferenceError: expect is not defined Is there anything else I may need to do?

Wasn't able to reproduce this on the original revision. Assuming that the repo wasn't clean and closing as WFM.