evaluate('', { global: newGlobal(), element: {} }) asserts js debug shell on m-c changeset eabe3f50b083 without any CLI arguments at Assertion failure: IsObjectValueInCompartment(value, compartment()), at vm/ObjectImpl.h My configure flags are: CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --with-ccache --disable-threadsafe Full credit for this goes to :jimb who mentioned this to us and Jesse then put support for this into jsfunfuzz.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5 user: Eddy Bruel date: Thu Nov 21 13:25:15 2013 -0800 summary: Bug 637572: Implement Debugger.Source.prototype.element (v7) r=sfink Eddy, is bug 637572 a likely regressor?

for (f in ["", ""]) for (f in ["", "", ""]) function f(code) { Function(code)() } f("\ x = {};\ evaluate(\"[]\", ({\ global: evalcx(''),\ element: x,\ }))\ "); f("\ x = schedulegc(Set);\ gc('compartment');\ ") This testcase asserts similarly, but crashes opt shell at PushMarkStack. (when compiled with --enable-exact-rooting) CC="clang -Qunused-arguments" AR=ar CXX="clang++ -Qunused-arguments" sh ./configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --disable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --enable-methodjit --enable-type-inference --disable-tests --enable-more-deterministic --enable-exact-rooting --enable-elf-hack --enable-stdcxx-compat --enable-warnings-as-errors --enable-signmar --disable-elf-hack --enable-js-diagnostics --with-intl-api=build --enable-ctypes --disable-shared-js --enable-jemalloc --with-ccache --enable-threadsafe <other NSPR flags>

I have seen quite a few GC-related crash signatures associated with "element:" - may have to suspend fuzzing it if this is not fixed soon, as it hides other GC bugs.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1) > autoBisect shows this is probably related to the following changeset: > > The first bad revision is: > changeset: http://hg.mozilla.org/mozilla-central/rev/a15ba1bc98c5 > user: Eddy Bruel > date: Thu Nov 21 13:25:15 2013 -0800 > summary: Bug 637572: Implement Debugger.Source.prototype.element (v7) > r=sfink > > Eddy, is bug 637572 a likely regressor? Hard to tell for sure, but I'd say it's definitely possible.

I'm pretty sure this is because we're trying to provide elements in one compartment for compilations in a different compartment. Marking dup.

Clearing the needinfo on this bug since it's been marked as resolved.