for (;;) { let(f = function () { const e = 0 let(f = function () { switch ({}) { case (e): } }) {} }) { f() } } asserts js debug shell on TM branch (tm-31101-bb6086ec04b8) with -j at Assertion failure: (fun->u.i.script)->upvarsOffset != 0, at ../jstracer.cpp:11742 and crashes js opt shell on TM branch at js_GetUpvar at 0x001f8690.

Setting security-sensitive just-in-case. autoBisecting soon...

for (var x = 0; x < 2; x++) { let(f = function () { const e = 0 let(f = function () { switch ({}) { case (e): } }) {} }) { f() } } is a variant testcase that doesn't go on an infinite loop if it doesn't crash.

function g() { const e = 0; return function () { switch (7) { case e: } }; } for (var i = 0; i < 2; i++) { let f = g; f(); } is the same, but a little easier on my eyes. Here are the bytecodes we trace: ;; in global code 00015: 12 loop 00016: 12 enterblock depth 0 {f: 0} 00019: 13 name "g" 00022: 13 setlocal 1 ;00025: pop ;; elided 00026: 14 calllocal 1 00029: 14 call 0 ;; in g 00000: 4 zero 00001: 4 setlocal 0 ;00004: 4 pop ;; elided 00005: 5 lambda_fc (function () {switch (7) {case e:default:;}})

(In reply to comment #2) > for (var x = 0; x < 2; x++) { > let(f = function () { > const e = 0 > let(f = function () { > switch ({}) { > case (e): > } > }) {} > }) { > f() > } > } > > is a variant testcase that doesn't go on an infinite loop if it doesn't crash. autoBisect shows this is probably related to bug 494269 : The first bad revision is: changeset: 28896:a16ed38ff63a user: David Mandelin date: Wed Jun 03 11:19:20 2009 -0700 summary: Bug 494269: trace JSOP_LAMBDA_FC, r=brendan,gal

Test case coming post-test-reorg.

Pushed to TM as 8c2a6c5dbcad.

Test case added to TM as 3d873e06a0a5.

It's slightly faster to test fun->u.i.nupvars -- rs=me on followup. /be

Followup per comment 8 pushed to TM as ed888dcd9579.

A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug509982.js.