Making two constructors of a class with JSObjectMakeConstructor, setting them on an object, and then creating/releasing a context, reliably produces a segfault in GC Mark with r43686 on Linux. Not setting either of the constructs on the object, OR passing NULL as the class argument to JSObjectMakeConstructor prevents the segfault from happening. Attached is a test case which triggers the segfault.
Created attachment 30321 [details] Test case
This also crashes on i386 Mac OS X.
Created attachment 30326 [details] Further reduction I hit the following assertion in a debug build: 0x000bb760 in JSC::JSObject::putDirect (this=0x4a1260, propertyName=@0x5047e8, value={m_ptr = 0x0}, attributes=14, checkReadOnly=false, slot=@0xbffff6e0) at JSObject.h:389 389 ASSERT(!Heap::heap(value) || Heap::heap(value) == Heap::heap(this)); This attached file is all that is necessary to reproduce the assertion failure, which is likely to be the root cause of this crash during GC.
Created attachment 30327 [details] Patch
Fixed in r43692.