The following testcase crashes on mozilla-central revision 08f794a4928e (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments):

// Adapted from randomly chosen test: js/src/tests/test262/language/statements/for-await-of/async-func-dstr-let-async-obj-ptrn-rest-getter.js
async function fn() { e }
fn();
// jsfunfuzz-generated
s = newGlobal();
evalcx(`
	// Adapted from randomly chosen test: js/src/tests/test262/language/statements/for-await-of/async-func-dstr-var-obj-ptrn-empty.js
    async function fn() { e }
    fn()
	// Adapted from randomly chosen test: js/src/jit-test/tests/promise/bug1406463.js
    P = newGlobal().eval("(class extends Promise { function(){} })")
    Promise.all.call(P, [{ then() { nukeAllCCWs() } }])
`, s);

Backtrace:

#0 JSObject::maybeUnwrapAs<js::PromiseObject> (this=<optimized out>) at js/src/vm/JSObject.h:652
#1 ReportUnhandledRejections (cx=<optimized out>) at js/src/shell/js.cpp:10318
#2 Shell (cx=0x7f8490317000, op=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:10404
#3 0x00005638fcf20d9c in main (argc=7, argv=0x7ffef15c2168, envp=<optimized out>) at js/src/shell/js.cpp:10973
/snip

For detailed crash information, see attachment.

Setting s-s as a start because this seems to involve compartments, which may be scary.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/e7dc5234c656
user: Jan de Mooij
date: Sun Feb 10 17:37:14 2019 +0000
summary: Bug 1521906 part 1 - Use obj->maybeUnwrapAs<T>() or obj->maybeUnwrapIf<T>() instead of CheckedUnwrap where possible. r=luke

Jan, is bug 1521906 a likely regressor?

Hey Gary, I think this was just a signature change. It's now a safe crash but it should have asserted in debug builds before e7dc5234c656. Can you bisect based on that?

https://hg.mozilla.org/mozilla-central/rev/39e1b87c1dec is the parent of e7dc5234c656 and while it doesn't seem to reproduce with the flags in comment 0, it does show:

Assertion failure: self->template is<U>(), at /home/ubuntu/trees/mozilla-central/js/src/vm/JSObject.h:573

when run with --fuzzing-safe --no-threads --no-baseline --no-ion --more-compartments.

Bisecting based on this, m-c rev 450b8f0cbb4e added --more-compartments and still shows the above assert, so bisecting more backwards on the parent of 450b8f0cbb4e...

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/c9f108854caa
user: Tooru Fujisawa
date: Tue Jan 08 02:34:57 2019 +0000
summary: Bug 1517868 - Report unhandled rejections in JS shell. r=jorendorff

Bingo! Arai-san, is bug 1517868 a likely regressor?

Thanks!
This is shell-only. feel free to open.

Opening up as per comment 6.

https://hg.mozilla.org/mozilla-central/rev/dc7e72c71d3a

Arai, did you want to nominate this for Beta uplift to help the fuzzers?

Comment on attachment 9044070 [details]
Bug 1527768 - Report dead object in unhandled rejections set properly. r?jandem

Beta/Release Uplift Approval Request

• Feature/Bug causing the regression: Bug 1517868
• User impact if declined: Fuzzing team may hit this while testing on beta.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): this is js-shell only fix. doesn't affect Firefox.
• String changes made/needed:

Comment on attachment 9044070 [details]
Bug 1527768 - Report dead object in unhandled rejections set properly. r?jandem

Fix for potential crash, should help beta fuzzing.
OK for uplift to beta 12.

Tried to uplift this but got an conflict here:

grafting 527895:dc7e72c71d3a "Bug 1527768 - Report dead object in unhandled rejections set properly. r=jandem"
merging js/src/shell/js.cpp
warning: conflicts while merging js/src/shell/js.cpp! (edit, then use 'hg resolve --mark')
abort: unresolved conflicts, can't continue

here's rebased patch

https://hg.mozilla.org/releases/mozilla-beta/rev/d2578f23e2f5