(function() { let x = (new function() {}) __defineGetter__("x", function() { ({ e: x }) }) })() print(x) asserts js debug shell on m-c changeset 14665b1de5ee with --ion-eager --no-threads at Assertion failure: !ins->hasDefUses(), at jit/TypePolicy.cpp. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7027efe7fae3 user: Shu-yu Guo date: Mon Sep 15 16:30:45 2014 -0700 summary: Bug 1001090 - Part 1: Implement let temporal dead zone in the frontend and interpreter. (r=Waldo) Shu-yu, is bug 1001090 a possible regressor?

(lldb) bt 5 * thread #1: tid = 0x314869, 0x00000001003d6a31 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MTypeBarrier* js::jit::MDefinition::to<js::jit::MTypeBarrier>(this=<unavailable>) + 5 at MIR.h:691, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001003d6a31 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MTypeBarrier* js::jit::MDefinition::to<js::jit::MTypeBarrier>(this=<unavailable>) + 5 at MIR.h:691 frame #1: 0x00000001003d6a2c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(js::jit::TempAllocator&, js::jit::MInstruction*) [inlined] js::jit::MDefinition::toTypeBarrier(this=<unavailable>) at MIR.h:708 frame #2: 0x00000001003d6a2c js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::TypeBarrierPolicy::adjustInputs(this=<unavailable>, alloc=<unavailable>, def=<unavailable>) + 668 at TypePolicy.cpp:245 frame #3: 0x00000001002a8a6a js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) [inlined] js::InlineListIterator<js::jit::MInstruction>::operator*(this=0x00000001030d57a8, def=0x0000000103133bf8) const + 86 at IonAnalysis.cpp:1080 frame #4: 0x00000001002a8a14 js-dbg-opt-64-dm-nsprBuild-darwin-14665b1de5ee`js::jit::ApplyTypeInformation(js::jit::MIRGenerator*, js::jit::MIRGraph&) [inlined] (anonymous namespace)::TypeAnalyzer::insertConversions(this=0x00000001030d57a8) + 1683 at IonAnalysis.cpp:1140 (lldb)

Uninitialized lexicals as required by the TDZ shouldn't escape to script and shouldn't be picked up by type sets, which will confuse the type set into thinking it's seen lazyargs.