x = []; Array.prototype.push.call(x, Symbol.iterator); Int8Array(x); asserts js debug shell on m-c changeset b6408c32a170 without any CLI arguments at Assertion failure: v.isString() || v.isObject(), at vm/TypedArrayObject.cpp My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> === Tinderbox Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20140623115045" and the hash "611283da02bf". The "bad" changeset has the timestamp "20140623122048" and the hash "cd2894ed2c76". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=611283da02bf&tochange=cd2894ed2c76 (s-s because this might involve TypedArrays, and it is in the assertion message.) Jason, is bug 645416 a likely regressor?

valueToNative does a canConvertInfallibly() test (which checks for number/boolean/null/undefined) and if false asserts object-or-string and then does either StringToNumber or ToNumber. In this case v is a symbol, of course.... But the ToNumber path is generic, I'd think, so no real need to assert things. Or rather we can just adjust the assert to assert object-or-symbol-or-string. I don't think there's a security bug here. This is an instance of the whole "we added a new type for the first time in forever" problem...