The following testcase crashes on mozilla-central revision e355cacefc88 (build with --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager --no-baseline): // Adapted from randomly chosen test: js/src/jit-test/tests/modules/bug-1233915.js g = newGlobal(); g.parent = this; g.eval("(" + function() { Debugger(parent).onExceptionUnwind = function(frame) frame.eval(""); } + ")()"); // Adapted from randomly chosen test: js/src/jit-test/tests/basic/bug602088.js var p = Proxy.createFunction({}, function() {}); print(new p); Backtrace: 0 js-64-dm-clang-darwin-e355cacefc88 0x0000000100384d5d js::ToPrimitiveSlow(JSContext*, JSType, JS::MutableHandle<JS::Value>) + 237 (jsobj.h:122) 1 ??? 0x0000000101c02ec0 0 + 4324339392

This does not seem to reproduce with a debug build. I used the following configuration command: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin14.5.0 --disable-jemalloc --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

I wonder what autoBisect has to say about this?

Bisecting in progress...

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/320b84c9e321 user: simplyblue date: Wed Oct 28 16:38:27 2015 +0530 summary: Bug 1212533 - Change the out-param of js/JS::Construct from MutableHandleValue to MutableHandleObject. r=arai, r=jorendorff Arai-san/jorendorff, is bug 1212533 a likely regressor?

Debugger overwriting return value in a constructing frame with a primitive, or Bob's your uncle.