non-jit, really? I wonder what we're doing emitting LIR if we've got the JIT disabled...
no, not really. :-( I forgot this test includes direct calls to turn jit on.
now occurs on 1.9.1 and 1.9.1-tracemonkey. regressed by bug 479442
http://hg.mozilla.org/mozilla-central/rev/3d0e0bc6a8c4 was the regressor and confirmed by bisecting both on tracemonkey and mozilla-central.
This is the code in question. a=b=c=d=0; this.__defineGetter__('g', gc); for each (y in this);
WFM with TM tip. Also works in the shell.
I can still reproduce this on tracemonkey in mac and linux but not in 1.9.1 or 1.9.2 it appears. I'll bisect and see what changed it. If you are trying to to reproduce, you may need to enable user_pref("signed.applets.codebase_principal_support", true); and grant bclary.com permission to modify prefs. several tests only assert if jit is dynamically switched on just prior to the test code.
Ok, the last time I saw this was around 3/10. Bisecting now for the fixor.
v 1.9.1, 1.9.2