enableSPSProfiling() evaluate("new(function() {\ this.f\ })", { compileAndGo: true }) crashes js debug shell on m-c changeset aa5f8d47a0ba with --fuzzing-safe --no-threads --ion-eager at js::PutEscapedStringImpl. Debug configure options: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/39422c6d5efc user: Shu-yu Guo date: Wed Feb 04 13:40:02 2015 -0800 summary: Bug 1127156 - Rework optimization tracking JSAPI to be more usable from the profiler. (r=djvj) Shu-yu, is bug 1127156 a likely regressor? (Profiler-related, so s-s as per bug 1124036 comment 4)

(lldb) bt 5 * thread #1: tid = 0x167be0, 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(char*, unsigned long, __sFILE*, JSLinearString*, unsigned int) [inlined] JSString::length() const at String.h:322, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4) * frame #0: 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(char*, unsigned long, __sFILE*, JSLinearString*, unsigned int) [inlined] JSString::length() const at String.h:322 frame #1: 0x000000010081e9d3 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::PutEscapedStringImpl(buffer=0x00007fff5fbfc750, bufferSize=512, fp=0x0000000000000000, str=0x0000000000000000, quote=0) + 35 at jsstr.cpp:4961 frame #2: 0x0000000100627b65 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(JSContext*, js::jit::CompactBufferWriter&, js::jit::NativeToTrackedOptimizations const*, js::jit::NativeToTrackedOptimizations const*, js::jit::UniqueTrackedOptimizations const&, unsigned int*, unsigned int*, unsigned int*, unsigned int*, js::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) [inlined] js::PutEscapedString(size=<unavailable>, str=<unavailable>, quote=<unavailable>) + 5 at jsstr.h:374 frame #3: 0x0000000100627b60 js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(JSContext*, js::jit::CompactBufferWriter&, js::jit::NativeToTrackedOptimizations const*, js::jit::NativeToTrackedOptimizations const*, js::jit::UniqueTrackedOptimizations const&, unsigned int*, unsigned int*, unsigned int*, unsigned int*, js::Vector<js::jit::IonTrackedTypeWithAddendum, 1ul, js::SystemAllocPolicy>*) [inlined] SpewConstructor(constructor=<unavailable>) + 21 at OptimizationTracking.cpp:833 frame #4: 0x0000000100627b4b js-dbg-64-dm-nsprBuild-darwin-aa5f8d47a0ba`js::jit::WriteIonTrackedOptimizationsTable(cx=0x0000000101f00300, writer=0x00007fff5fbfc9d0, start=<unavailable>, end=<unavailable>, unique=0x00007fff5fbfca20, numRegions=<unavailable>, regionTableOffsetp=<unavailable>, typesTableOffsetp=<unavailable>, optimizationTableOffsetp=<unavailable>, allTypes=<unavailable>) + 1723 at OptimizationTracking.cpp:953 (lldb)

DEBUG-only spewing code wasn't handling JSFunctions with nullptr displayAtoms correctly. Not s-s.