$ cat 5a.js (({ w: (([] for each(z in []))({ y setter: function() { x = #1=[] } })) }) for each(functional in [])) { (function() {}) x for each(let x in [])([]) } $ ./js-dbg-tm-intelmac 5a.js Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818 Trace/BPT trap Save this testcase in a file and parse into the js debug shell without -j (i.e. ./js testcase.js ) and it asserts at Assertion failure: !(pnu->pn_dflags & PND_BOUND), at ../jsemit.cpp:1818 autoBisect shows this is probably related to the upvar2 bug : The first bad revision is: changeset: 26784:2cf0bbe3772a user: Brendan Eich date: Sun Apr 05 21:17:22 2009 -0700 summary: upvar2, aka the big one take 2 (452598, r=mrbkap). This seems debug only as the assert is happening within #ifdef DEBUG code: (could be wrong though) (gdb) bt #0 JS_Assert (s=0x1a53f9 "!(pnu->pn_dflags & PND_BOUND)", file=0x1a4fd3 "../jsemit.cpp", ln=1818) at ../jsutil.cpp:69 #1 0x00047ab5 in EmitEnterBlock (cx=0x30bc50, pn=0x814610, cg=0xbffff404) at ../jsemit.cpp:1818 #2 0x00053274 in js_EmitTree (cx=0x30bc50, cg=0xbffff404, pn=0x814610) at ../jsemit.cpp:6268 #3 0x00050353 in js_EmitTree (cx=0x30bc50, cg=0xbffff404, pn=0x813700) at ../jsemit.cpp:5437 #4 0x000e0cb8 in JSCompiler::compileScript (cx=0x30bc50, scopeChain=0x2aa000, callerFrame=0x0, principals=0x0, tcflags=24576, chars=0x0, length=0, file=0xa08a54c0, filename=0xbffffa2a "5a.js", lineno=1, source=0x0) at ../jsparse.cpp:882 #5 0x0001d503 in JS_CompileFileHandleForPrincipals (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", file=0xa08a54c0, principals=0x0) at ../jsapi.cpp:4819 #6 0x0001d57e in JS_CompileFileHandle (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", file=0xa08a54c0) at ../jsapi.cpp:4805 #7 0x00007eb7 in Process (cx=0x30bc50, obj=0x2aa000, filename=0xbffffa2a "5a.js", forceTTY=0) at ../../shell/js.cpp:408 #8 0x00009732 in ProcessArgs (cx=0x30bc50, obj=0x2aa000, argv=0xbffff960, argc=1) at ../../shell/js.cpp:806 #9 0x0000abdc in main (argc=1, argv=0xbffff960, envp=0xbffff968) at ../../shell/js.cpp:4728 (gdb) frame 1 #1 0x00047ab5 in EmitEnterBlock (cx=0x30bc50, pn=0x814610, cg=0xbffff404) at ../jsemit.cpp:1818 1818 JS_ASSERT(!(pnu->pn_dflags & PND_BOUND)); (gdb) l 1813 JS_ASSERT(uintN(dn->frameSlot() + depth) < JS_BIT(16)); 1814 dn->pn_cookie += depth; 1815 #ifdef DEBUG 1816 for (JSParseNode *pnu = dn->dn_uses; pnu; pnu = pnu->pn_link) { 1817 JS_ASSERT(pnu->pn_lexdef == dn); 1818 JS_ASSERT(!(pnu->pn_dflags & PND_BOUND)); 1819 JS_ASSERT(pnu->pn_cookie == FREE_UPVAR_COOKIE); 1820 } 1821 #endif 1822 }

Same underlying cause as bug 491806, fixed by that bug's patch. Dup'ing forward, setting in-testsuite? to get this bug's fuzzer-generated test captured under js/tests. Rob, please make bug 491806 block. Thanks. Bob, if making bug 491806 block this bug is better please feel free to reopen and set the dependency. I'm happy to be schooled, but at this point it's clear this bug and bug 491806 are due to the same flaw in comprehension expression blockid adjustment, described in bug 491806 comment 1. Thanks for any tips. /be