for each(let c in [ {}, Object, {}, Object, function() {}, {}, function() {}, function() {}, function() {}, {}, Object, Object, function() {}, Object, function() {}, {}, Object, function() {}, Object, function() {}, {}, function() {}, function() {}, function() {}, function() {}, function() {}, function() {}, Object, function() {}, function() {}, function() {}, Object, {}, function() {}, Object, function() {}, function() {}, function() {}, {}, {} ]) { try { (function() { c.watch() })() } catch (e) {} } asserts 64-bit js debug shell on IonMonkey changeset 18142c3076a1 with --no-jm at Assertion failure: !hasLazyType(), and crashes js opt shell at js::types::TypeObject::addProperty Seems to be a null crash but locking s-s just to be safe. Due to skipped revisions, the first bad revision could be any of: changeset: 105607:6cd206b37176 parent: 104959:b63bb39ed1c0 parent: 105606:a0240c1043ee user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:51:24 2012 -0700 summary: Merge from mozilla-central. changeset: 105758:7bf95bb09233 parent: 105607:6cd206b37176 parent: 105757:706174d31a02 user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:57:37 2012 -0700 summary: Merge from mozilla-central. changeset: 105759:003feda8a0b3 parent: 105758:7bf95bb09233 parent: 104963:630296b1c46d user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 17:58:13 2012 -0700 summary: Merge. changeset: 105760:8f2d38db4b56 user: David Anderson <danderson@mozilla.com> date: Wed Aug 29 18:04:42 2012 -0700 summary: Fix merge bustage.

Reproduces nondeterministically.

Use getType() instead of type(), since the typeobject may still require lazy creation. I'm not sure why this is nondeterministic, but the object appears valid.