The following sample triggers a nullptr dereference on JSC build from latest HEAD function main() { function v1(v2,v3) { return v1; } Object.defineProperty(v1, "done", { configurable: true, enumerable: true, get: WeakMap }) v1.return = v1 v1.next = v1; Object.defineProperty(WeakMap, Symbol.iterator, { configurable: true, value: v1 }) const v24 = new WeakMap(WeakMap); } noDFG(main); noFTL(main); main(); // CRASH INFO // ========== // TERMSIG: 11 Here is the backtrace from gdb: #0 JSC::JSCell::isString (this=0x0) at Source/JavaScriptCore/runtime/JSCellInlines.h:219 #1 0x00007ffff544f2bd in JSC::JSCell::toBoolean (this=0x0, globalObject=0x7fffa541a068) at Source/JavaScriptCore/runtime/JSCellInlines.h:371 #2 0x00007ffff5447d55 in JSC::JSValue::toBoolean (this=0x7fffffffc248, globalObject=0x7fffa541a068) at Source/JavaScriptCore/runtime/JSCJSValueInlines.h:935 #3 0x00007ffff6bfffea in JSC::iteratorComplete (globalObject=0x7fffa541a068, iterResult=...) at Source/JavaScriptCore/runtime/IteratorOperations.cpp:68 #4 0x00007ffff6c0020c in JSC::iteratorStep (globalObject=0x7fffa541a068, iterationRecord=...) at Source/JavaScriptCore/runtime/IteratorOperations.cpp:78 #5 0x00007ffff6f8ecab in JSC::forEachInIterable<JSC::constructWeakMap(JSC::JSGlobalObject*, JSC::CallFrame*)::$_4>(JSC::JSGlobalObject*, JSC::JSValue, JSC::constructWeakMap(JSC::JSGlobalObject*, JSC::CallFrame*)::$_4 const&) (globalObject=0x7fffa541a068, iterable=..., callback=...) at Source/JavaScriptCore/runtime/IteratorOperations.h:87 #6 0x00007ffff6f8d0a5 in JSC::constructWeakMap (globalObject=0x7fffa541a068, callFrame=0x7fffffffc6e0) at Source/JavaScriptCore/runtime/WeakMapConstructor.cpp:83 #7 0x00007fffa6a000c7 in ?? () #8 0x00007fffffffc7b0 in ?? () #9 0x00007ffff5333fbb in js_trampoline_op_construct () from WebKitBuild/Debug/lib/libJavaScriptCore.so.1 #10 0x0000000000000000 in ?? () I think the issue has to do with the (invalid) getter for v1.done, which will raise an exception (as `WeakMap` cannot be called, but must be constructed using `new`).