The following testcase crashes on mozilla-central revision 79a5b2968d01 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads --baseline-eager main.js): See attachment. Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00000000006dd405 in js::ObjectGroupCompartment::removeDefaultNewGroup (this=this@entry=0x7ffff69562e0, clasp=clasp@entry=0x0, proto=..., associated=<optimized out>) at js/src/vm/ObjectGroup.cpp:1599 #0 0x00000000006dd405 in js::ObjectGroupCompartment::removeDefaultNewGroup (this=this@entry=0x7ffff69562e0, clasp=clasp@entry=0x0, proto=..., associated=<optimized out>) at js/src/vm/ObjectGroup.cpp:1599 #1 0x000000000076b94e in js::ObjectGroup::detachNewScript (this=this@entry=0x7ffff7e5db80, writeBarrier=writeBarrier@entry=false, replacement=replacement@entry=0x0) at js/src/vm/TypeInference.cpp:2894 #2 0x000000000076aeeb in js::ObjectGroup::maybeClearNewScriptOnOOM (this=0x7ffff7e5db80) at js/src/vm/TypeInference.cpp:2921 #3 0x000000000076b102 in js::TypeZone::clearAllNewScriptsOnOOM (this=<optimized out>) at js/src/vm/TypeInference.cpp:4383 #4 0x0000000000b2c651 in js::gc::GCRuntime::sweepTypesAfterCompacting (this=this@entry=0x7ffff693c408, zone=zone@entry=0x7ffff6955800) at js/src/jsgc.cpp:2296 #5 0x0000000000b2c6aa in js::gc::GCRuntime::sweepZoneAfterCompacting (this=0x7ffff693c408, zone=zone@entry=0x7ffff6955800) at js/src/jsgc.cpp:2304 #6 0x0000000000b66aa6 in js::gc::GCRuntime::updatePointersToRelocatedCells (this=this@entry=0x7ffff693c408, zone=zone@entry=0x7ffff6955800) at js/src/jsgc.cpp:2656 #7 0x0000000000b86055 in js::gc::GCRuntime::compactPhase (this=this@entry=0x7ffff693c408, reason=reason@entry=JS::gcreason::DEBUG_GC, sliceBudget=...) at js/src/jsgc.cpp:5559 #8 0x0000000000b86660 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff693c408, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6014 #9 0x0000000000b87373 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6209 #10 0x0000000000b87950 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/jsgc.cpp:6325 #11 0x0000000000b89b44 in js::gc::GCRuntime::runDebugGC (this=this@entry=0x7ffff693c408) at js/src/jsgc.cpp:6814 #12 0x00000000005fc347 in js::gc::GCRuntime::gcIfNeededPerAllocation (this=this@entry=0x7ffff693c408, cx=cx@entry=0x7ffff6907400) at js/src/gc/Allocator.cpp:28 #13 0x000000000063d88f in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (this=0x7ffff693c408, cx=0x7ffff6907400, kind=js::gc::FIRST) at js/src/gc/Allocator.cpp:55 #14 0x00000000006476d4 in js::Allocate<JSObject, (js::AllowGC)1> (cx=cx@entry=0x7ffff6907400, kind=kind@entry=js::gc::FIRST, nDynamicSlots=0, heap=heap@entry=js::gc::DefaultHeap, clasp=clasp@entry=0x1b4b2a0 <JSFunction::class_>) at js/src/gc/Allocator.cpp:121 #15 0x000000000069c38d in JSObject::create (cx=0x7ffff6907400, kind=js::gc::FIRST, heap=js::gc::DefaultHeap, shape=..., group=...) at js/src/jsobjinlines.h:331 #16 0x0000000000b4514c in NewObject (cx=0x7ffff6907400, group=..., kind=js::gc::FIRST, newKind=js::GenericObject, initialShapeFlags=<optimized out>) at js/src/jsobj.cpp:684 #17 0x0000000000b45b8b in js::NewObjectWithClassProtoCommon (cxArg=cxArg@entry=0x7ffff6907400, clasp=clasp@entry=0x1b4b2a0 <JSFunction::class_>, protoArg=..., protoArg@entry=..., allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::GenericObject) at js/src/jsobj.cpp:812 #18 0x0000000000b7c715 in NewObjectWithClassProto (newKind=js::GenericObject, allocKind=js::gc::FIRST, proto=..., clasp=0x1b4b2a0 <JSFunction::class_>, cx=0x7ffff6907400) at js/src/jsobjinlines.h:723 #19 NewFunctionClone (cx=cx@entry=0x7ffff6907400, fun=..., fun@entry=..., newKind=newKind@entry=js::GenericObject, allocKind=allocKind@entry=js::gc::FIRST, proto=..., proto@entry=...) at js/src/jsfun.cpp:2080 #20 0x0000000000b83f72 in js::CloneFunctionReuseScript (cx=cx@entry=0x7ffff6907400, fun=fun@entry=..., parent=parent@entry=..., allocKind=allocKind@entry=js::gc::FIRST, newKind=newKind@entry=js::GenericObject, proto=proto@entry=...) at js/src/jsfun.cpp:2115 #21 0x000000000071f289 in js::CloneFunctionObjectIfNotSingleton (cx=0x7ffff6907400, fun=..., parent=..., proto=..., newKind=js::GenericObject) at js/src/jsfuninlines.h:90 #22 0x00000000006e4703 in js::Lambda (cx=0x7ffff6907400, fun=..., parent=...) at js/src/vm/Interpreter.cpp:4283 #23 0x00007ffff7ff1b15 in ?? () [...] #42 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff69562e0 140737330373344 rcx 0x7ffff6ca53b0 140737333842864 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffa830 140737488332848 rsp 0x7fffffffa7b0 140737488332720 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffa570 140737488332144 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff6908d98 140737330056600 r13 0x7ffff53e5420 140737307890720 r14 0x13 19 r15 0x7fffffffa7e0 140737488332768 rip 0x6dd405 <js::ObjectGroupCompartment::removeDefaultNewGroup(js::Class const*, js::TaggedProto, JSObject*)+533> => 0x6dd405 <js::ObjectGroupCompartment::removeDefaultNewGroup(js::Class const*, js::TaggedProto, JSObject*)+533>: movl $0x63f,0x0 0x6dd410 <js::ObjectGroupCompartment::removeDefaultNewGroup(js::Class const*, js::TaggedProto, JSObject*)+544>: callq 0x497c70 <abort()> Even though this test runs with --no-threads and uses the oomTest functionality, I was not able to reduce it further. It seems to be sensitive to baseline compilation and I tried all sorts of tricks to put it into a single file, no luck.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Comment on attachment 8670817 [details] [diff] [review] bug1209497.patch Review of attachment 8670817 [details] [diff] [review]: ----------------------------------------------------------------- Looks good. ::: js/src/vm/ObjectGroup.cpp @@ +1463,3 @@ > allocationSiteTable->remove(p); > + if (!allocationSiteTable->putNew(key, group)) > + CrashAtUnhandlableOOM("Inconsistent object table"); We should use an `AutoEnterOOMUnsafeRegion oomUnsafe` around this to avoid hitting this while OOM testing. @@ +1613,3 @@ > defaultNewTable->remove(p); > + if (!defaultNewTable->putNew(lookup, NewEntry(group, associated))) > + CrashAtUnhandlableOOM("Inconsistent object table"); And here.

(In reply to Jan de Mooij [:jandem] from comment #4) > We should use an `AutoEnterOOMUnsafeRegion oomUnsafe` around this to avoid > hitting this while OOM testing. (And use oomUnsafe.crash instead of CrashAtUnhandlableOOM.)

https://hg.mozilla.org/integration/mozilla-inbound/rev/9ecce6ab453e5d7ff6de1bbb15e50c402912e826 Bug 1209497 - OOM-crash if a consistent object table is impossible. r=jandem