for (a in (function() { __defineGetter__("e", function() { print(a) }); yield; const a = function() {} })()) function() {} gc(); print(e) crashes js opt shell on JM tip without -j or -m at a weird memory address and crashes js dbg shell on JM tip without -j or -m at another weird memory address with js_ValueToString near the top of the stack. Tested with 32-bit Mac 10.6.2 shell on JM rev 71ed74081c2d. Debug shell stack: Exception Type: EXC_BAD_ACCESS (SIGBUS) Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000000 Crashed Thread: 0 Dispatch queue: com.apple.main-thread Thread 0 Crashed: Dispatch queue: com.apple.main-thread 0 ??? 0x003d6221 0 + 4022817 1 js-dbg-32-jm-darwin 0x0011a7bd js_ValueToString + 58 2 js-dbg-32-jm-darwin 0x00015ef4 JS_ValueToString + 24 3 js-dbg-32-jm-darwin 0x000098ad Print(JSContext*, unsigned int, long*) + 60 (js.cpp:1060) 4 js-dbg-32-jm-darwin 0x0008eeaf js_Interpret + 92840 5 js-dbg-32-jm-darwin 0x000a119f js_Invoke + 2325 6 js-dbg-32-jm-darwin 0x000a1641 js_InternalInvoke + 197 7 js-dbg-32-jm-darwin 0x000a1761 js_InternalGetOrSet + 103 8 js-dbg-32-jm-darwin 0x000c029b JSScopeProperty::get(JSContext*, JSObject*, JSObject*, long*) + 253 9 js-dbg-32-jm-darwin 0x000b4ad3 js_NativeGet + 607 10 js-dbg-32-jm-darwin 0x0008fc19 js_Interpret + 96274 11 js-dbg-32-jm-darwin 0x000a0479 js_Execute + 1251 12 js-dbg-32-jm-darwin 0x00011afd JS_ExecuteScript + 54 13 js-dbg-32-jm-darwin 0x0000a6a4 Process(JSContext*, JSObject*, char*, int) + 458 (js.cpp:449) 14 js-dbg-32-jm-darwin 0x0000b41a ProcessArgs(JSContext*, JSObject*, char**, int) + 2325 (js.cpp:868) 15 js-dbg-32-jm-darwin 0x0000b7e7 main + 953 (js.cpp:4880) 16 js-dbg-32-jm-darwin 0x000028a5 _start + 208 17 js-dbg-32-jm-darwin 0x000027d4 start + 40

A testcase for this bug was already added in the original bug (bug 550743).