(function () { [] = x = /x/; x.toString = Function.prototype.bind; print(x) })() crashes js debug and opt shell on TM changeset 6c8becdd1574 without -m nor -j. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 64672:0906d9490eaf user: Jeff Walden date: Mon Mar 28 20:01:53 2011 -0700 summary: Bug 645468 - Remove js_TryMethod: its semantics aren't what most of its users want, and its utility is limited. r=luke Bug 635389 may be related, I'm filing separate because they have different regression windows.
Created attachment 524841 [details] stack
(In reply to comment #0) > Bug 635389 may be related, I'm filing separate because they have different > regression windows. The more I look at the stacks, the more I suspect this is another manifestation of bug 635389, even though that bug doesn't have .bind and this one does. I'll leave it to others more knowledgeable to confirm this dupe.
toString would call bind, that would throw because |this| wasn't callable, then it'd try to be helpful and stringify |this| for the error message, lather, rinse, repeat. Fixed by bug 601709, which removed this errant stringification that's not at all part of the spec, and which also removes the possibility of recurring solely via built-in methods.
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
or
