The following testcase asserts on mozilla-central revision 770de5942471 (run with --fuzzing-safe): function test() { var a = {y: 1}; function B(){} B.prototype.__defineSetter__('x', function setx(val) { 'use strict'; try { eval('function foo() { var arguments = 42;}'); } catch (index) { return (index instanceof a); } }); var b = new B; var arr = [a, b]; for (var obj of arr) obj.x = 2; } test();

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/495a9c210b91 user: Jan de Mooij date: Mon Nov 04 11:40:24 2013 +0100 summary: Bug 933798 - Don't unnecessarily deoptimize name accesses in try blocks in lazily parsed functions. r=bhackett This iteration took 0.962 seconds to run.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5446435cc94a).

This was fixed by backing out bug 933798.

With Nightly js shell from 2013-11-05 on Ubuntu 13.10 64bit, I get: "Segmentation fault (core dumped)" With FF 28 beta 2 shell I get: "TypeError: invalid 'instanceof' operand a". Tried on 2 different machines. Any idea on this? Thanks in advance!

(In reply to Alexandra Lucinet, QA Mentor [:adalucinet] from comment #5) > With Nightly js shell from 2013-11-05 on Ubuntu 13.10 64bit, I get: > "Segmentation fault (core dumped)" > With FF 28 beta 2 shell I get: "TypeError: invalid 'instanceof' operand a". > Tried on 2 different machines. > Any idea on this? Thanks in advance! The regressing changeset seems to have been backed out as per comment 4, so not crashing seems to be correct.

And "invalid 'instanceof' operand" seems reasonable; the rhs should be a (constructor) function.