c = {}.__proto__[1] = 3; (function() { function b(a) { return a } for each(let z in [{}]) { print(new b(z)) } })() crashes js opt shell on JM changeset e0b67d8cc908 with -m, -a and -n and patch v1 from bug 672892 at defaultValue, doesn't seem to show anything in debug. This was found using a combination of jsfunfuzz and jandem's method fuzzer.

When returning a value from a constructor in scripts with unknown type, we need to check for a primitive return and use the original constructed 'this' in such cases. When doing this, we did not ensure that the 'this' value for the frame was synced, and could load from its (trash) address on primitive return. Now that 'this' objects can be constructed in jitcode, the 'this' value is not always synced. This issue does not show up in debug builds because we called a stub to check the argument and 'this' types after constructing 'this', which would force the value to be synced. This patch moves that call up above construction of 'this' (losing checking for the 'this' type while constructing, oh well) so that regalloc will be consistent between debug and release modes. http://hg.mozilla.org/projects/jaegermonkey/rev/409b62513ac6

A testcase for this bug was automatically identified at js/src/jit-test/tests/jaeger/bug678141.js.