The following testcase crashes on mozilla-central revision 9169f652fe5e (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-check-range-analysis --ion-eager --baseline-eager --ion-extra-checks): See attachment. Backtrace: Program terminated with signal SIGSEGV, Segmentation fault. #0 used (this=0x0) at js/src/jit/Label.h:42 #1 js::jit::AssemblerX86Shared::bind (this=0x7f35fcaf1058, label=0x0) at js/src/jit/x86-shared/Assembler-x86-shared.h:932 #2 0x0000000000943975 in js::jit::CodeGenerator::getJumpLabelForBranch (this=this@entry=0x7f35fcaf1000, block=0x7f35fcdef9c8) at js/src/jit/CodeGenerator.cpp:664 #3 0x0000000000965462 in js::jit::CodeGenerator::visitTestVAndBranch (this=0x7f35fcaf1000, lir=0x7f35fc90d600) at js/src/jit/CodeGenerator.cpp:709 #4 0x00000000009a682e in js::jit::CodeGenerator::generateBody (this=this@entry=0x7f35fcaf1000) at js/src/jit/CodeGenerator.cpp:4149 #5 0x00000000009a6f6a in js::jit::CodeGenerator::generate (this=this@entry=0x7f35fcaf1000) at js/src/jit/CodeGenerator.cpp:7859 #6 0x00000000009a718e in js::jit::GenerateCode (mir=mir@entry=0x7f35fcddc1a8, lir=0x7f35fcdfa180) at js/src/jit/Ion.cpp:1954 #7 0x00000000009a7275 in js::jit::CompileBackEnd (mir=0x7f35fcddc1a8) at js/src/jit/Ion.cpp:1976 #8 0x0000000000675e1a in js::HelperThread::handleIonWorkload (this=this@entry=0x7f35fee2e000) at js/src/vm/HelperThreads.cpp:1180 #9 0x0000000000676fd9 in js::HelperThread::threadLoop (this=0x7f35fee2e000) at js/src/vm/HelperThreads.cpp:1482 #10 0x00000000006cd8b1 in nspr::Thread::ThreadRoutine (arg=0x7f35fee2c080) at js/src/vm/PosixNSPR.cpp:45 #11 0x00007f360007a182 in start_thread (arg=0x7f35fedff700) at pthread_create.c:312 #12 0x00007f35ff16a47d in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111 rax 0x0 0 rbx 0x0 0 rcx 0xa 10 rdx 0x400 1024 rsi 0xe073ca 14709706 rdi 0xa 10 rbp 0x7f35fedfea60 139869886081632 rsp 0x7f35fedfea10 139869886081552 r8 0x0 0 r9 0xe084d8 14714072 r10 0x30 48 r11 0x7f35fedfea10 139869886081552 r12 0x31 49 r13 0x31 49 r14 0x7f35fcdef9c8 139869852465608 r15 0x7f35fcaf1058 139869849325656 rip 0x5bbd42 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82> => 0x5bbd42 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+82>: cmpb $0x0,0x3(%rbx) 0x5bbd46 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+86>: jns 0x5bbd50 <js::jit::AssemblerX86Shared::bind(js::jit::Label*)+96> The testcase doesn't reproduce for me but h4writer seems to already have found the issue, so filing now.

Comment on attachment 8670360 [details] [diff] [review] Propagate OOM Review of attachment 8670360 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jit/CodeGenerator.cpp @@ +659,4 @@ > // backedges, so emit inline code for the patchable jump. Heap allocating > // the label allows it to be used by out of line blocks. > Label* res = alloc().lifoAlloc()->new_<Label>(); > + masm.propagateOOM(res); Can you make the coercion more explicit, please? !!res

This looks like a duplicate of bug 1209026. (I think with this patch we'll still crash though because we'll pass nullptr to masm.bind below.)