x = ({ x: /x/ }) x.p = [] Object.defineProperty(x, "x", { writable: "" }) for (b in [[], null, [undefined]]) { function f(a) { delete a.x a.x = Infinity } for each(z in [x]) { f(z) } } crashes js opt shell on TM tip without -j at JSScope::removeProperty and asserts js debug shell on TM tip without -j at Assertion failure: sprop->childp, at ../jsscope.h:843 Seems to be a near null crash but setting s-s just to be safe. === Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x000dea8c in JSScope::removeProperty () (gdb) bt #0 0x000dea8c in JSScope::removeProperty () #1 0x00077516 in js_DeleteProperty () #2 0x000598d6 in js_Interpret () #3 0x00065dd0 in js_Execute () #4 0x0000eeec in JS_ExecuteScript () #5 0x000046a6 in Process () #6 0x0000893a in main () (gdb) x/i $eip 0xdea8c <_ZN7JSScope14removePropertyEP9JSContextl+300>: mov %edx,(%eax) (gdb) x/b $edx 0x865ab0: 0x64

autoBisect shows this is probably related to bug 430133: The first bad revision is: changeset: 36651:766a6b2e74e7 user: Jeff Walden date: Fri Jun 05 12:56:45 2009 -0700 summary: Bug 430133 - Implement ES3.1's Object.defineProperty and Object.defineProperties. r=jorendorff

Shorter: var a = Object.defineProperty({ x: /x/, p: [] }, "x", { writable: false }); for (var i = 0; i < 5; i++) { delete a.x; a.x = Infinity; }

This WFM -- Gary, mind tracking down which change fixed this?

(In reply to comment #3) > This WFM -- Gary, mind tracking down which change fixed this? Sure. :) Seems to be fixed by bug 595365. autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 53550:cd3c926a7413 user: Brendan Eich date: Sat Sep 11 23:55:25 2010 -0700 summary: Google Maps crash on tracemonkey branch (595365, precog r=jorendorff, a=beta6+).

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929