The following testcase crashes on mozilla-central revision 20210307-74e3d611be8f (debug build, run with --fuzzing-safe --differential-testing --ion-offthread-compile=off --fast-warmup --ion-eager test.js):

[0,0,0,0,0,0,0,0,0,0,0,0].filter(function() {
  Object.defineProperty(this, "valueOf", ({value: 0, writable: true}));
  Object.freeze(this);
},  '')

This yields TypeError: can't redefine non-configurable property "valueOf". Without --ion-eager, the error does not occur.

Marking s-s until investigated, since this is a bug in the JIT somewhere.

Here's a reduced version that fails with --fast-warmup --no-threads:

function foo() {
    Object.defineProperty(this, "valueOf", ({value: 0, writable: true}));
    Object.freeze(this);
}

for (var i = 0; i < 100; i++) {
    foo.call("");
}

We pass in a string as this, which BoxNonStrictThis turns into an object. The problem is that BoxNonStrictThis was marked as movable in bug 1662366 (part 7). If we inline foo, then LICM can hoist the BoxNonStrictThis outside the loop, which means that instead of seeing a unique object on each iteration, we see the same one each time.

This can cause incorrect results, but I don't think it's a security concern. I think the fix is just to stop marking BoxNonStrictThis as movable.

https://hg.mozilla.org/mozilla-central/rev/f2a19931829e

Bugmon Analysis:
Bug appears to be fixed on mozilla-central 20210310215846-db7158dfb86d but BugMon was unable to reproduce using mozilla-central 20210307213430-74e3d611be8f.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.