The following testcase crashes on mozilla-central revision aa4c97d22712 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --enable-experimental-fields):

// jsfunfuzz-generated
for (let l of []) {
    // Adapted from randomly chosen test: js/src/tests/test262/language/statements/class/elements/private-derived-cls-direct-eval-err-contains-superproperty-1.js
    class C extends A {
        x = "";
    }
}

Backtrace:

#0 js::frontend::ForOfEmitter::emitEnd (this=0x7fff2dfb8570, iteratedPos=...) at js/src/frontend/ForOfEmitter.cpp:221
#1 0x000055eb07e6ef55 in js::frontend::BytecodeEmitter::emitForOf (this=0x7fff2dfb8a60, forOfLoop=0x7f8a163a9978, headLexicalEmitterScope=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:5343
#2 0x000055eb07e6d9ff in js::frontend::BytecodeEmitter::emitLexicalScope (this=0x7fff2dfb8a60, lexicalScope=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:4818
#3 0x000055eb07e61a1c in js::frontend::BytecodeEmitter::emitTree (this=0x7fff2dfb8a60, pn=0x7f8a163a99e0, valueUsage=js::frontend::ValueUsage::WantValue, emitLineNote=js::frontend::BytecodeEmitter::EMIT_LINENOTE) at js/src/frontend/BytecodeEmitter.cpp:9018
#4 0x000055eb07e61cf6 in js::frontend::BytecodeEmitter::emitStatementList (this=<optimized out>, stmtList=<optimized out>) at js/src/frontend/BytecodeEmitter.cpp:6609
/snip

For detailed crash information, see attachment.

This is fixed in master. Likely fixed by bug 1534721. Not adding a testcase because fields in classes with extends was a very known problem to crash before that bug landed, and so we already have lots of tests similar to this one.