The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision c119c16978b4f08f5e0c1269b52b9fdd9085be5f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): function TestCase(n, d, e, a) this.type = (typeof window == 'undefined' ? 'shell' : 'browser'); var SECTION = "11.9.2"; new TestCase(SECTION, "void 0 == void 0", false, void 0 != void 0); new TestCase(SECTION, "null == null", false, null != null); new TestCase(SECTION, "NaN != NaN", true, Number.NaN != Number.NaN); new TestCase(SECTION, "NaN != 0", true, "while (1"); new TestCase(SECTION, "0 != NaN", true, 0 != Number.NaN); new TestCase(SECTION, "NaN != Infinity", true, Number.NaN != Number.POSITIVE_INFINITY); new TestCase(SECTION, "Infinity != NaN", true, Number.POSITIVE_INFINITY != Number.NaN); new TestCase(SECTION, "Number.MAX_VALUE != Number.MAX_VALUE", false, Number.MAX_VALUE != Number.MAX_VALUE); new TestCase(SECTION, "Number.MIN_VALUE != Number.MIN_VALUE", false, Number.MIN_VALUE != Number.MIN_VALUE); new TestCase(SECTION, "Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY", false, Number.POSITIVE_INFINITY != Number.POSITIVE_INFINITY); new TestCase(SECTION, "Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY", false, Number.NEGATIVE_INFINITY != Number.NEGATIVE_INFINITY); new TestCase(SECTION, "0 != 0", false, 0 != 0); new TestCase(SECTION, "0 != -0", false, 0 != -0); new TestCase(SECTION, "-0 != 0", false, -0 != 0); new TestCase(SECTION, "-0 != -0", false, -0 != -0); new TestCase(SECTION, "0.9 != 1", true, 0.9 != 1); new TestCase(SECTION, "0.999999 != 1", true, 0.999999 != 1); oomAfterAllocations(5); new TestCase(SECTION, "0.9999999999999 != 1", true, 0.9999999999999 != 1); new TestCase(SECTION, "true != true", false, true != true); new TestCase(SECTION, "false != false", false, false != false); new TestCase(SECTION, "true != false", true, true != false); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000766d87 in base (this=0x0) at js/src/vm/Shape.h:820 #0 0x0000000000766d87 in base (this=0x0) at js/src/vm/Shape.h:820 #1 js::ReshapeForAllocKind (cx=cx@entry=0x7ffff6907400, shape=shape@entry=0x7ffff7e79e98, proto=..., allocKind=allocKind@entry=js::gc::OBJECT2) at js/src/vm/Shape.cpp:636 #2 0x0000000000777c10 in ChangeObjectFixedSlotCount (allocKind=js::gc::OBJECT2, obj=0x7ffff7e5f100, cx=0x7ffff6907400) at js/src/vm/TypeInference.cpp:3580 #3 js::TypeNewScript::maybeAnalyze (this=0x7ffff3e15b20, cx=cx@entry=0x7ffff6907400, group=0x7ffff7e5c6d0, regenerate=regenerate@entry=0x7fffffffcc80, force=force@entry=false) at js/src/vm/TypeInference.cpp:3691 #4 0x0000000000b92ba4 in js::CreateThisForFunctionWithProto (cx=cx@entry=0x7ffff6907400, callee=..., callee@entry=..., proto=proto@entry=..., newKind=newKind@entry=js::GenericObject) at js/src/jsobj.cpp:984 #5 0x0000000000b93332 in js::CreateThisForFunction (cx=cx@entry=0x7ffff6907400, callee=callee@entry=..., newKind=js::GenericObject) at js/src/jsobj.cpp:1019 #6 0x00000000006d5e4f in js::RunState::maybeCreateThisForConstructor (this=this@entry=0x7fffffffd248, cx=cx@entry=0x7ffff6907400) at js/src/vm/Interpreter.cpp:352 #7 0x00000000009b68b0 in js::jit::CanEnter (cx=cx@entry=0x7ffff6907400, state=...) at js/src/jit/Ion.cpp:2549 #8 0x00000000006f90bc in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:3100 #9 0x0000000000707243 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:709 #10 0x000000000070d2e4 in js::ExecuteKernel (cx=cx@entry=0x7ffff6907400, script=..., script@entry=..., scopeChainArg=..., thisv=..., newTargetValue=..., type=<optimized out>, evalInFrame=evalInFrame@entry=..., result=result@entry=0x0) at js/src/vm/Interpreter.cpp:983 #11 0x000000000070d639 in js::Execute (cx=cx@entry=0x7ffff6907400, script=script@entry=..., scopeChainArg=..., rval=rval@entry=0x0) at js/src/vm/Interpreter.cpp:1018 #12 0x0000000000b7929b in ExecuteScript (cx=cx@entry=0x7ffff6907400, scope=..., script=..., rval=rval@entry=0x0) at js/src/jsapi.cpp:4453 #13 0x0000000000b793bb in JS_ExecuteScript (cx=cx@entry=0x7ffff6907400, scriptArg=..., scriptArg@entry=...) at js/src/jsapi.cpp:4484 #14 0x0000000000428699 in RunFile (compileOnly=false, file=0x7ffff699d800, filename=0x7fffffffe18f "min.js", cx=0x7ffff6907400) at js/src/shell/js.cpp:468 #15 Process (cx=cx@entry=0x7ffff6907400, filename=0x7fffffffe18f "min.js", forceTTY=forceTTY@entry=false) at js/src/shell/js.cpp:586 #16 0x0000000000477ce2 in ProcessArgs (op=0x7fffffffdb50, cx=0x7ffff6907400) at js/src/shell/js.cpp:5923 #17 Shell (envp=<optimized out>, op=0x7fffffffdb50, cx=0x7ffff6907400) at js/src/shell/js.cpp:6223 #18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6579 rax 0x0 0 rbx 0x7ffff6907400 140737330050048 rcx 0x7ffff7e2e138 140737352229176 rdx 0x0 0 rsi 0x44 68 rdi 0x7fffffffc840 140737488341056 rbp 0x7fffffffca40 140737488341568 rsp 0x7fffffffc880 140737488341120 r8 0x3c 60 r9 0x7ffff6956000 140737330372608 r10 0xaf4d764e 2941089358 r11 0x0 0 r12 0x0 0 r13 0x0 0 r14 0x7fffffffc940 140737488341312 r15 0x7fffffffc920 140737488341280 rip 0x766d87 <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+711> => 0x766d87 <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+711>: mov (%rdx),%rdx 0x766d8a <js::ReshapeForAllocKind(JSContext*, js::Shape*, js::TaggedProto, js::gc::AllocKind)+714>: testb $0x1,0x10(%rdx)

r=h4writer over the shoulder

Really a supa-dupa-trivial fix, no risk at all, so setting checkin-needed without a try build to spare our resources.