v = let(f = function (y) { let(f = function (g) { for each(let h in g) { if (y > 4) { with(1) {} } } }) { f([0, 0, 0]) } }) print(f()) crashes TM tip dbg js shell with -j at js_GetClosureArg at null. Doesn't seem to affect 1.9.1 branch.

Affects opt js shell too. autoBisect shows this is probably related to bug 496240 : The first bad revision is: changeset: 30380:b75efc9ee5b1 user: David Mandelin date: Tue Jul 21 16:22:36 2009 -0700 summary: Bug 496240: trace JSOP_NAME for active (on-stack) closures, r=gal Though it crashes at null - there's two memory address entries on the stack. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Thread 0 Crashed: 0 js-dbg-tm-darwin 0x000e3a30 js_GetClosureArg(JSContext*, JSObject*, unsigned int, unsigned int, unsigned int, double*) + 128 1 ??? 0x00186f2d 0 + 1601325 2 ??? 0xbffff268 0 + 3221221992 3 js-dbg-tm-darwin 0x000f7c1e js_MonitorLoopEdge(JSContext*, unsigned int&) + 1326 4 js-dbg-tm-darwin 0x00055172 js_Interpret + 44610 5 js-dbg-tm-darwin 0x0005a157 js_Execute + 407 6 js-dbg-tm-darwin 0x0000e52c JS_ExecuteScript + 60 7 js-dbg-tm-darwin 0x00003fea Process(JSContext*, JSObject*, char*, int) + 1338 8 js-dbg-tm-darwin 0x000077cf main + 879 9 js-dbg-tm-darwin 0x000022db _start + 209 10 js-dbg-tm-darwin 0x00002209 start + 41

dupe of bug 506018?

Yeah, it's a dup.

fixed by the dupe on 192