The following test asserts on mozilla-central revision 4a9a6ffd1f21 (options -m -n): function jsTestDriverEnd() {} this.__defineSetter__("x", function () {}); x %= 5; jsTestDriverEnd(); mjitChunkLimit(); I'm getting Assertion failure: v.isObject(), at js/src/jsnum.cpp:1257 for this test, but it can also cause other assertions (e.g. ptrBits) or crashes. I assume this is a shell only issue with the debug function mjitChunkLimit, which is supposed to take one parameter. It would be nice if this could be fixed (I assume it's an easy thing), because it causes multiple signatures in the fuzzer.

function tryItOut(code) { nestingConsistencyTest() sandboxResult(code, "new-compartment") } function nestingConsistencyTest(c) { var e depth = rnd() + 4 for (var i; depth;)(p) } function sandboxResult(code, globalType) { try { var sandbox = newGlobal(globalType) t = evalcx(code, sandbox) } catch (e) {} } function f() { this.g1 = function() {} this.g2 = function() { return this.g1() } }(function() { fInst = new f rnd = function(n) { Math.floor(fInst.g2()) } }()) tryItOut("mjitChunkLimit()") Here's another testcase w/ 32-bit debug shell on Linux on m-c changeset ebafee0cea36 *** Compartment mismatch 0x8b14520 vs. 0x8b0ad00 Assertion failure: compartment mismatched, at /home/fuzz2lin/Desktop/jsfunfuzz-dbg-32-mc-86707-ebafee0cea36/compilePath/js/src/jscntxtinlines.h:153

Dumb bug, mjitChunkLimit checks for argument overflow but not underflow.

Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929