(new Function("for (var j=0; j<9; ++j) { (function sum_indexing(array,start){return array.length==start ? 0 : array[start]+ sum_indexing(array,start+1)})([true,true,undefined],0)}"))() Assertion failure: unboxed == JS_TRUE || unboxed == JS_FALSE, at ../jsbuiltins.cpp:387 I couldn't figure out how to make a testcase without "new Function". "new Function" seems to disable several optimizations and I don't know how else to disable them.

I'm making an educated guess that this is due to the tracerecursion bug..

for each(let a in [new Boolean(false)]) {} for (var b = 0; b < 13; ++b) { if (b % 3 == 1) { (function f(c) { if (c <= 1) { return 1; } return f(c - 1) + f(c - 2); })(3) } else { (function g(d, e) {; return d.length == e ? 0 : d[e] + g(d, e + 1); })([false, new Boolean(true), false], 0) } } crashes js opt shell on TM tip with -j at js_ValueToNumber at 0x00000180 and asserts at Assertion failure: unboxed == JS_TRUE || unboxed == JS_FALSE, at ../jsbuiltins.cpp:387 on js debug shell. Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000180 Crashed Thread: 0 Thread 0 Crashed: 0 js-opt-tm-darwin 0x000630fc js_ValueToNumber + 188 1 js-opt-tm-darwin 0x00058432 js_Interpret + 41618 2 js-opt-tm-darwin 0x0005df1a js_Execute + 362 3 js-opt-tm-darwin 0x0000d52c JS_ExecuteScript + 60 4 js-opt-tm-darwin 0x000040b8 __ZL7ProcessP9JSContextP8JSObjectPci + 1336 5 js-opt-tm-darwin 0x00008174 main + 2212 6 js-opt-tm-darwin 0x0000204b _start + 209 7 js-opt-tm-darwin 0x00001f79 start + 41

Shift op went the wrong way.

Comment on attachment 404740 [details] [diff] [review] fix Nice one. Thats one for the archives.

js/src/trace-test/tests/basic/testBug520503-1.js js/src/trace-test/tests/basic/testBug520503-2.js js/src/trace-test/tests/basic/testBug520503-3.js

v 1.9.3