The following testcase crashes on mozilla-central revision f14dcd1c8c0b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-debug, run with --fuzzing-safe --no-threads): function printStatus(msg) {} function blah() { printStatus(test() && true || testcase || this); const haveTracemonkey = !!(this.tracemonkey) function jitstatHandler(f) { if (!haveTracemonkey) f("breakLoopExits"); } function test(f) jitstatHandler(function(prop, local, global) {}); } blah(); Backtrace: Program received signal SIGSEGV, Segmentation fault. js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:181 181 return !EmulatesUndefined(&v.toObject()); #0 js::ToBooleanSlow (v=...) at js/src/jsbool.cpp:181 #1 0x000000000089a614 in ToBoolean (v=...) at js/src/jsapi.h:1153 #2 Interpret (cx=0x16eb960, state=...) at js/src/vm/Interpreter.cpp:2218 #3 0x000000000089c93b in js::RunScript (cx=0x16eb960, state=...) at js/src/vm/Interpreter.cpp:432 #4 0x000000000089cbc2 in js::ExecuteKernel (cx=0x16eb960, script=0x7ffff7e60160, scopeChainArg=(JSObject &) @0x7ffff7e5c060 [object global] delegate, thisv=..., type=<optimized out>, evalInFrame=..., result=0x0) at js/src/vm/Interpreter.cpp:641 #5 0x000000000089cd3f in js::Execute (cx=0x16eb960, script=0x7ffff7e60160, scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:678 #6 0x00000000007749d9 in ExecuteScript (cx=<optimized out>, obj=..., scriptArg=..., rval=<optimized out>) at js/src/jsapi.cpp:4722 #7 0x0000000000412e07 in RunFile (compileOnly=false, file=0x17c2210, filename=0x7fffffffef6b "min.js", obj=..., cx=0x16eb960) at js/src/shell/js.cpp:450 #8 Process (cx=0x16eb960, obj_=<optimized out>, filename=0x7fffffffef6b "min.js", forceTTY=<optimized out>) at js/src/shell/js.cpp:583 #9 0x0000000000415fc7 in ProcessArgs (op=0x7fffffffe9a0, obj_=<optimized out>, cx=0x16eb960) at js/src/shell/js.cpp:5399 #10 Shell (op=0x7fffffffe9a0, cx=0x16eb960, envp=<optimized out>) at js/src/shell/js.cpp:5638 #11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:5977 rax 0xfffa000000000010 -1688849860263920 rbx 0x16eb960 24033632 rcx 0xfffa000000000010 -1688849860263920 rdx 0x1fff4 131060 rsi 0x1fff4 131060 rdi 0x10 16 rbp 0x7fffffffde90 140737488346768 rsp 0x7fffffffddc0 140737488346560 r8 0x0 0 r9 0x17b69b8 24865208 r10 0x17b68c0 24864960 r11 0x17cc704 24954628 r12 0x16573c0 23425984 r13 0x16eb978 24033656 r14 0x16eb9c8 24033736 r15 0x7fffffffe620 140737488348704 rip 0x75cde3 <js::ToBooleanSlow(JS::Handle<JS::Value>)+35> => 0x75cde3 <js::ToBooleanSlow(JS::Handle<JS::Value>)+35>: mov 0x8(%rdi),%rax 0x75cde7 <js::ToBooleanSlow(JS::Handle<JS::Value>)+39>: mov (%rax),%rax

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a9a7f16c817b user: Eric Faust date: Thu Oct 30 17:27:03 2014 -0700 summary: Bug 611388 - |const| should be block scoped and require an initializer. (r=shu) This iteration took 320.143 seconds to run.

This probably dates back to let-TDZ, because the identical case with s/const/let/ crashes similarly.

Goddammit.

Comment on attachment 8540958 [details] [diff] [review] Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements. Review of attachment 8540958 [details] [diff] [review]: ----------------------------------------------------------------- Yum. Commence backports! ::: js/src/frontend/Parser.cpp @@ +1452,5 @@ > + // graph analysis of all body-level functions to compute > + // the transitive closure of which hoisted body level use > + // of which function forces TDZ checks on which uses. This > + // is unreasonably difficult to do in a single pass parser > + // like ours. "in our single-pass parser" is a little more concise.

remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/6ec4eb9786d8

Comment on attachment 8540958 [details] [diff] [review] Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements. Approval Request Comment [Feature/regressing bug #]: 1001090 [User impact if declined]: Non-ES6 compliance when using body-level functions statements with let declarations. [Describe test coverage new/current, TBPL]: pushed to m-c [Risks and why]: Low, let declarations aren't turned on unversioned for content, so for all intents and purposes only affects addons and chrome code. [String/UUID change made/needed]: None

Comment on attachment 8540958 [details] [diff] [review] Body level function statement hoisted use analysis to elide TDZ checks is wrong. Pessimize all body level function statements. Too late for 35 as we already built the rc.