The following testcase asserts on mozilla-central revision 50d25e083421 (run with --ion-eager): function TestCase(e, a) getTestCaseResult(e, a); function reportCompare (expected, actual) { var testcase = new TestCase(expected, actual); } function getTestCaseResult(expected, actual) {} new TestCase(0, Date.parse((new Date(0)).toString())); var actual = ''; var expect = ''; test(); function test() { eval( "var t = 'variable'; typeof(t)") reportCompare(actual, expect, actual); } new TestCase ( 0, (new Date((new Date(0)).toUTCString())).getTime() ); test();

My all-time favorite =) Program received signal SIGSEGV, Segmentation fault. 0x08398cc9 in isTagged (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:89 89 return !!(bits_ & TAG_MASK); (gdb) bt #0 0x08398cc9 in isTagged (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:89 #1 kind (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:133 #2 isArgument (this=0x1c) at /srv/repos/mozilla-central/js/src/ion/LIR.h:163 #3 js::ion::LinearScanAllocator::populateSafepoints (this=0xffffc18c) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:535 #4 0x0839ca2f in js::ion::LinearScanAllocator::go (this=0xffffc18c) at /srv/repos/mozilla-central/js/src/ion/LinearScan.cpp:1168 #5 0x0833d3be in js::ion::GenerateLIR (mir=0x86e35e0) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1129 #6 0x08340715 in CompileBackEnd (mir=0x86e35e0, maybeMasm=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1209 #7 compile (autoDelete=<synthetic pointer>, builder=0x86e35e0, this=<optimized out>, graph=<optimized out>) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1402 #8 IonCompile<js::ion::SequentialCompileContext> (compileContext=..., constructing=false, osrPc=0x0, fun=(JSFunction *) 0xffffc340 Cannot access memory at address 0x0, script=<optimized out>, cx=0x8661000) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1342 #9 js::ion::Compile<js::ion::SequentialCompileContext> (cx=0x8661000, script=0xf7428300, fun=(JSFunction * const) 0xf74300c0 [object Function "test"], osrPc=0x0, constructing=false, compileContext=...) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1573 #10 0x08340d41 in js::ion::CanEnter (cx=0x8661000, script=0xf7428300, fp=..., isConstructing=false) at /srv/repos/mozilla-central/js/src/ion/Ion.cpp:1683 #11 0x08107d74 in js::RunScript (cx=0x8661000, fp=0xf7697078) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:320 #12 0x081082c0 in js::InvokeKernel (cx=0x8661000, args=..., construct=js::NO_CONSTRUCT) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:421 #13 0x081089da in Invoke (construct=js::NO_CONSTRUCT, args=..., cx=0x8661000) at /srv/repos/mozilla-central/js/src/jsinterp.h:134 #14 js::Invoke (cx=0x8661000, thisv=..., fval=..., argc=0, argv=0xffffc88c, rval=0xffffc854) at /srv/repos/mozilla-central/js/src/jsinterp.cpp:454 #15 0x084d0f04 in js::ion::DoCallFallback (cx=0x8661000, frame=0xffffc8ac, stub=0x86e76c8, argc=0, vp=0xffffc87c, res=$jsval(-nan(0xfff8200000000))) at /srv/repos/mozilla-central/js/src/ion/BaselineIC.cpp:6588 #16 0xf7fcd3d4 in ?? () #17 0x086e76c8 in ?? () #18 0xf7fc862e in ?? () #19 0x08334611 in EnterBaseline (cx=0x86e76c8, fp=0x0, jitcode=0xf7fd02a0, osr=false) at /srv/repos/mozilla-central/js/src/ion/BaselineJIT.cpp:154

I can't repro with --ion-eager. I do have the fix for bug 863261 in my queue though. Could be fixed by that.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 122585:437c955ff06d user: Nicolas B. Pierron date: Wed Jan 30 07:41:01 2013 -0800 summary: Bug 796114 - Inline with type-checked arguments. r=h4writer This iteration took 0.982 seconds to run.