(function() { for (a in [0]) { try { return } catch(e) {} } })() crashes js opt shell on JM changeset 90a7b141e0cf with -m, -a and -n at js::types::TypeSet::add and asserts js debug shell at Assertion failure: v.kind() != SSAValue::EMPTY && pv->value.kind() != SSAValue::EMPTY, autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 68276:90a7b141e0cf tag: tip user: Brian Hackett date: Fri Apr 22 07:59:45 2011 -0700 summary: [INFER] Bytecode SSA analysis, bug 650715.

Another assertion message floating around is: Assertion failure: v.kind() != SSAValue::EMPTY but I'm assuming they're related.

Weird situation in scripts with switch or try blocks, 'for in' iterators and return statements within those iterators. The SSA analysis doesn't track control flow for scripts with switch and try blocks (oversight which should be fixed), and assumes the stack is balanced within these opcodes, a property which does not hold if ENDITERs are introduced to handle return statements that close any iterators active outside the try/switch block. http://hg.mozilla.org/projects/jaegermonkey/rev/460da05aa26f

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug652314.js.