The following testcase asserts on ionmonkey revision 2169bca0c9a5 (run with --ion -n -m --ion-eager -a): Math.pow(-131072); for ( var bit = 0; bit < bs.length; bit++ ) {}

The 64 bit opt-crash looks dangerous here: ==24363== Invalid write of size 8 ==24363== at 0x71B2D5: js::ion::MBasicBlock::addImmediatelyDominatedBlock(js::ion::MBasicBlock*) (Vector.h:790) ==24363== by 0x6C8DE6: js::ion::BuildDominatorTree(js::ion::MIRGraph&) (IonAnalysis.cpp:557) ==24363== by 0x6C1132: js::ion::BuildMIR(js::ion::IonBuilder&, js::ion::MIRGraph&) (Ion.cpp:708) ==24363== by 0x6C4843: bool js::ion::IonCompile<&(js::ion::TestCompiler(js::ion::IonBuilder&, js::ion::MIRGraph&))>(JSContext*, JSScript*, JSFunction*, unsigned char*, bool) (Ion.cpp:839) ==24363== by 0x6C4C4B: js::ion::CanEnterAtBranch(JSContext*, JSScript*, js::StackFrame*, unsigned char*) (Ion.cpp:992) ==24363== by 0x4A4CCF: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:1516) ==24363== by 0x4AAC16: js::RunScript(JSContext*, JSScript*, js::StackFrame*) (jsinterp.cpp:321) ==24363== by 0x4AB9C9: js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) (jsinterp.cpp:507) ==24363== by 0x41D5A9: JS_ExecuteScript (jsapi.cpp:5626) ==24363== by 0x408EFF: Process(JSContext*, JSObject*, char const*, bool) (js.cpp:435) ==24363== by 0x409E81: Shell(JSContext*, js::cli::OptionParser*, char**) (js.cpp:4845) ==24363== by 0x40A880: main (js.cpp:5091) ==24363== Address 0x301f4d80 is not stack'd, malloc'd or (recently) free'd Might be a duplicate of one of the other MIR bugs I filed. But filing anyway just to be sure not to miss any of these.