The following testcase crashes on mozilla-central revision 576a6dcde5b6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --unboxed-arrays): lfcode = Array(` Function.prototype.toString = function() this(new Proxy([], {get() { return 0; } })); getBacktrace({ thisprops: 1 }) `) readline = file = lfcode.shift(); loadFile(file); function loadFile(lfVarx) { evaluate(lfVarx); } Backtrace: Program received signal SIGSEGV, Segmentation fault. PrintHelpString (cx=0x7ffff6907800, v=...) at js/src/shell/js.cpp:5434 #0 PrintHelpString (cx=0x7ffff6907800, v=...) at js/src/shell/js.cpp:5434 #1 0x000000000043cfb4 in PrintHelp (obj=..., cx=0x7ffff6907800) at js/src/shell/js.cpp:5464 #2 Help (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffa028) at js/src/shell/js.cpp:5500 #3 0x000000000087fe21 in CallJSNative (args=..., native=0x43cde0 <Help(JSContext*, unsigned int, JS::Value*)>, cx=0x7ffff6907800) at js/src/jscntxtinlines.h:235 #4 js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:475 #5 0x0000000000880399 in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffa460, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:527 #6 0x000000000052af6d in js::jit::DoCallFallback (cx=0x7ffff6907800, frame=0x7fffffffa4a8, stub_=0x7ffff43121e0, argc=1, vp=0x7fffffffa450, res=...) at js/src/jit/BaselineIC.cpp:6136 #7 0x00007ffff7ff0d54 in ?? () [...] #35 0x0000000000000000 in ?? () rax 0x7fffffffffff 140737488355327 rbx 0xfff9000000000000 -1970324836974592 rcx 0x7fffffffaa70 140737488333424 rdx 0x7ffff6907860 140737330051168 rsi 0x0 0 rdi 0x7ffff6907800 140737330051072 rbp 0x7fffffff9df0 140737488330224 rsp 0x7fffffff9d80 140737488330112 r8 0x1 1 r9 0x0 0 r10 0x1855950 25516368 r11 0x1fff8 131064 r12 0x7ffff6907868 140737330051176 r13 0x7fffffff9e80 140737488330368 r14 0x7fffffffa040 140737488330816 r15 0x7ffff6907800 140737330051072 rip 0x43735e <PrintHelpString(JSContext*, JS::Value)+14> => 0x43735e <PrintHelpString(JSContext*, JS::Value)+14>: mov (%rsi),%edx 0x437360 <PrintHelpString(JSContext*, JS::Value)+16>: mov %rsi,%rbx

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7075d6399f43 user: Tom Schuster date: Wed Dec 17 00:28:39 2014 +0100 summary: Bug 1094176 - Remove lookup JSAPI from js. r=jorendorff This iteration took 144.395 seconds to run.

Tom, is bug 1094176 a likely regressor?

It was probably broken before my change as well. Testcase: help({usage: 1, help: 1})

Comment on attachment 8718850 [details] [diff] [review] help() crash Review of attachment 8718850 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/shell/js.cpp @@ +5457,5 @@ > RootedValue help(cx); > if (!JS_GetProperty(cx, obj, "help", &help)) > return false; > > + if (!usage.isString() || !help.isString()) Heh. I could argue that this should call ToString, but I won't. That would be mostly pointless, and this is good enough, at least until my vague plans to revamp the help system come to fruition. Which may never happen.