The following testcase crashes on mozilla-central revision c95ebeebbc5d (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --ion-eager min.js): oomAfterAllocations(50); function f1() { var v; }; dis(f1); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000006b7783 in js::CallJSNative (cx=0x7ffff69831c0, native=0x48d950 <Disassemble(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:238 #0 0x00000000006b7783 in js::CallJSNative (cx=0x7ffff69831c0, native=0x48d950 <Disassemble(JSContext*, unsigned int, jsval*)>, args=...) at js/src/jscntxtinlines.h:238 #1 0x00000000006a3d42 in js::Invoke (cx=cx@entry=0x7ffff69831c0, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:720 #2 0x00000000006a59e6 in js::Invoke (cx=cx@entry=0x7ffff69831c0, thisv=..., fval=..., argc=argc@entry=1, argv=argv@entry=0x7fffffffd8f8, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:775 #3 0x00000000008d364a in js::jit::DoCallFallback (cx=0x7ffff69831c0, frame=0x7fffffffd938, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffd8e8, res=...) at js/src/jit/BaselineIC.cpp:9859 #4 0x00007ffff7e54bdf in ?? () [...] #31 0x00007ffff69b8078 in ?? () #32 0x0000000000987bf4 in ~ReentrancyGuard (this=0x8, __in_chrg=<optimized out>) at ../../dist/include/mozilla/ReentrancyGuard.h:44 #33 mozilla::VectorBase<js::jit::MPhi*, 0ul, js::SystemAllocPolicy, js::Vector<js::jit::MPhi*, 0ul, js::SystemAllocPolicy> >::~VectorBase (this=0x7fffffffd938, __in_chrg=<optimized out>) at ../../dist/include/mozilla/Vector.h:756 Backtrace stopped: previous frame identical to this frame (corrupt stack?) rax 0x0 0 rbx 0x7ffff69831c0 140737330557376 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffd250 140737488343632 rsp 0x7fffffffd200 140737488343552 r8 0x7ffff7fe8780 140737354041216 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffcfc0 140737488342976 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffffffd468 140737488344168 r13 0x0 0 r14 0x7fffffffd210 140737488343568 r15 0x48d950 4774224 rip 0x6b7783 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+643> => 0x6b7783 <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+643>: movl $0xee,0x0 0x6b778e <js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&)+654>: callq 0x4997a0 <abort()> This could be a shell-only bug with the disassemble function.

This needs fixing. I can't triage the other isExceptionPending asserts easily with this in the way.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 6457f01e4bcb).