The following testcase crashes on mozilla-central revision 74c7941a9e22 (build with --enable-debug --enable-more-deterministic --enable-profiling, run with --fuzzing-safe --no-threads --ion-eager): // Adapted from randomly chosen test: js/src/jit-test/tests/ion/bug1054241.js s = newGlobal(); var x = ["", "a", "b"]; for (var i = 0; i < 4; ++i) { var y = x[i]; s[y] = y; } try { evalcx("z", s); } catch (e) {} try { evalcx("var [] = +{}", s); } catch (e) {} try { evalcx("enableShellObjectMetadataCallback(); new Array;", s); } catch (e) {} Backtrace: Core was generated by `/home/ubuntu/shell-cache/js-dbg-64-prof-linux-74c7941a9e22/js-dbg-64-prof-linux'. Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000ab100c in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=124, attrs=0, flags=0, entry=0x7f2357138020, allowDictionary=true) at js/src/vm/Shape.cpp:554 warning: Source file is more recent than executable. 554 MOZ_ASSERT(!entry->shape()); [Current thread is 1 (Thread 0x7f235e260740 (LWP 14293))] #0 0x0000000000ab100c in js::NativeObject::addPropertyInternal (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=..., id@entry=..., getter=0x0, setter=0x0, slot=slot@entry=124, attrs=0, flags=0, entry=0x7f2357138020, allowDictionary=true) at js/src/vm/Shape.cpp:554 #1 0x0000000000ab1504 in js::NativeObject::addProperty (cx=cx@entry=0x7f235cb21800, obj=obj@entry=..., id=id@entry=..., getter=getter@entry=0x0, setter=setter@entry=0x0, slot=124, attrs=0, flags=0, allowDictionary=true) at js/src/vm/Shape.cpp:499 #2 0x0000000000a622b2 in js::NativeObject::addDataProperty (this=<optimized out>, cx=cx@entry=0x7f235cb21800, idArg=..., slot=<optimized out>, attrs=attrs@entry=0) at js/src/vm/NativeObject.cpp:953 #3 0x0000000000a1975a in js::GlobalObject::resolveConstructor (cx=cx@entry=0x7f235cb21800, global=..., key=key@entry=JSProto_Array) at js/src/vm/GlobalObject.cpp:172 #4 0x0000000000a19cab in js::GlobalObject::ensureConstructor (cx=cx@entry=0x7f235cb21800, global=..., global@entry=..., key=key@entry=JSProto_Array) at js/src/vm/GlobalObject.cpp:98 #5 0x000000000086d635 in JS_ResolveStandardClass (cx=0x7f235cb21800, obj=..., id=..., resolved=0x7ffdf40f78e0) at js/src/jsapi.cpp:1095 #6 0x00000000008daa0e in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:391 #7 js::LookupOwnPropertyInline<(js::AllowGC)1> (donep=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7f235cb21800) at js/src/vm/NativeObject-inl.h:480 #8 js::LookupPropertyInline<(js::AllowGC)1> (propp=..., objp=..., id=..., obj=..., cx=0x7f235cb21800) at js/src/vm/NativeObject-inl.h:554 #9 js::LookupProperty (cx=cx@entry=0x7f235cb21800, obj=..., id=id@entry=..., objp=..., objp@entry=..., propp=propp@entry=...) at js/src/jsobj.cpp:2131 #10 0x00000000008dc910 in js::LookupName (cx=0x7f235cb21800, name=..., scopeChain=..., objp=..., pobjp=..., propp=...) at js/src/jsobj.cpp:2141 #11 0x0000000000a1ec78 in GetNameOperation (vp=..., pc=<optimized out>, fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:236 #12 Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2888 #13 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #14 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x0) at js/src/vm/Interpreter.cpp:650 #15 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=0x0) at js/src/vm/Interpreter.cpp:685 #16 0x0000000000874ab0 in Evaluate (cx=cx@entry=0x7f235cb21800, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4505 #17 0x00000000008753ed in JS::Evaluate (cx=cx@entry=0x7f235cb21800, options=..., bytes=<optimized out>, length=265, rval=rval@entry=...) at js/src/jsapi.cpp:4559 #18 0x0000000000879be5 in Evaluate (rval=..., filename=0x7f23570e7c90 "js/src/jit-test/tests/ion/bug1054241.js", optionsArg=..., cx=0x7f235cb21800) at js/src/jsapi.cpp:4576 #19 JS::Evaluate (cx=cx@entry=0x7f235cb21800, optionsArg=..., filename=<optimized out>, rval=..., rval@entry=...) at js/src/jsapi.cpp:4614 #20 0x0000000000457ae9 in LoadScript (cx=0x7f235cb21800, argc=1, vp=0x7f235719c2a8, scriptRelative=false) at js/src/shell/js.cpp:942 #21 0x0000000000a33891 in js::CallJSNative (cx=cx@entry=0x7f235cb21800, native=0x457cb0 <Load(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #22 0x0000000000a2c3a3 in js::Invoke (cx=0x7f235cb21800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444 #23 0x0000000000a25929 in Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2763 #24 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #25 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x7f235719c208) at js/src/vm/Interpreter.cpp:650 #26 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=0x7f235719c208) at js/src/vm/Interpreter.cpp:685 #27 0x0000000000874ab0 in Evaluate (cx=cx@entry=0x7f235cb21800, scope=..., staticScope=staticScope@entry=..., optionsArg=..., srcBuf=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:4505 #28 0x00000000008750ac in Evaluate (rval=..., length=140728698114592, chars=0x7ffdf40f9200 u"᠀岲缣", optionsArg=..., cx=0x7f235cb21800) at js/src/jsapi.cpp:4541 #29 JS::Evaluate (cx=cx@entry=0x7f235cb21800, optionsArg=..., chars=chars@entry=0x7f2357136c00 u"\"use strict\"; /* regression-test-load */ load(\"js/src/jit-test/tests/ion/bug1054241.js\");", length=length@entry=124, rval=...) at js/src/jsapi.cpp:4599 #30 0x000000000045a46f in EvalInContext (cx=cx@entry=0x7f235cb21800, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:2691 #31 0x0000000000a33891 in js::CallJSNative (cx=cx@entry=0x7f235cb21800, native=0x459fd0 <EvalInContext(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #32 0x0000000000a2c3a3 in js::Invoke (cx=0x7f235cb21800, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:444 #33 0x0000000000a25929 in Interpret (cx=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:2763 #34 0x0000000000a2c0f2 in js::RunScript (cx=cx@entry=0x7f235cb21800, state=...) at js/src/vm/Interpreter.cpp:391 #35 0x0000000000a2e029 in js::ExecuteKernel (cx=cx@entry=0x7f235cb21800, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., type=<optimized out>, evalInFrame=..., evalInFrame@entry=..., result=0x0) at js/src/vm/Interpreter.cpp:650 #36 0x0000000000a2e58d in js::Execute (cx=cx@entry=0x7f235cb21800, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:685 #37 0x000000000086d0f4 in ExecuteScript (cx=cx@entry=0x7f235cb21800, scope=scope@entry=..., script=script@entry=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4410 #38 0x000000000086d492 in JS_ExecuteScript (cx=cx@entry=0x7f235cb21800, scriptArg=scriptArg@entry=...) at js/src/jsapi.cpp:4443 #39 0x000000000042a37c in RunFile (compileOnly=false, file=0x7f235702b400, filename=0x7ffdf40fae1e "/tmp/tmpahIa22loop13/w896-reduced.js", cx=0x7f235cb21800) at js/src/shell/js.cpp:515 #40 Process (cx=cx@entry=0x7f235cb21800, filename=0x7ffdf40fae1e "/tmp/tmpahIa22loop13/w896-reduced.js", forceTTY=forceTTY@entry=false, kind=<optimized out>) at js/src/shell/js.cpp:728 #41 0x00000000004402d9 in ProcessArgs (op=0x7ffdf40fa4c0, cx=0x7f235cb21800) at js/src/shell/js.cpp:6189 #42 Shell (envp=<optimized out>, op=0x7ffdf40fa4c0, cx=0x7f235cb21800) at js/src/shell/js.cpp:6513 #43 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6874

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/1ac68e528d12 user: Jon Coppeard date: Thu Oct 08 10:49:49 2015 +0100 summary: Bug 1209107 - Only expose module environment object through testing functions r=shu Jon, is bug 1209107 a likely regressor?

I don't think that's likely to be related. Maybe something to do with enableShellObjectMetadataCallback()?

> Maybe something to do with enableShellObjectMetadataCallback()? Jim, maybe you're able to help with enableShellObjectMetadataCallback? Or please feel free to forward this to anyone else deemed more appropriate.

I'll bet this is a duplicate of bug 1221378. Can you try the patch on that bug, to see if it helps?

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

(In reply to Jim Blandy :jimb from comment #4) > I'll bet this is a duplicate of bug 1221378. Can you try the patch on that > bug, to see if it helps? Yes, that does help, so marking as dupe.