This crashes in the type inference code: --- ./js js> new Function.prototype Bus error --- Top of stack: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000001c 0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966 1966 if (newObject) (gdb) bt #0 0x00317e93 in js::types::TypeObject::getNewObject (this=0x0, cx=0x70b3a0) at ../jsinfer.cpp:1966 #1 0x0031dbf9 in js::types::TypeConstraintCall::newType (this=0x713ff0, cx=0x70b3a0, source=0x713da8, type=8792640) at ../jsinfer.cpp:824

timeless: This crash (and other issues blocking bug 608741) is in the Jaegermonkey branch, which is experimental code and won't be on trunk for a few months.

The inference crash is gone, but now this asserts with -m: ./js -m js> new Function.prototype Assertion failure: analysis, at ../jsinferinlines.h:453

Yeah, bug 619271 made this almost not-broken, but we still weren't making analysis info for Function.prototype (these values are scripts, but are created in a different way from normal scripts). http://hg.mozilla.org/projects/jaegermonkey/rev/6ae854b6490f

This rebroke with the scripted 'new' overhaul done as part of bug 619433, and unfortunately testing did not catch it (only breaks if -m is not used). The problem was that Function.prototype does not itself have a .prototype property (unlike all other scripts), and wasn't being special cased. http://hg.mozilla.org/projects/jaegermonkey/rev/479604222c8e