The following testcase crashes on mozilla-central revision 388bdc46ba51 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-check-range-analysis): oomAfterAllocations(1) enableSPSProfilingWithSlowAssertions(); function arrayProtoOutOfRange() {} oomTest(arrayProtoOutOfRange); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000aaf8a9 in js::SPSProfiler::profileString (this=this@entry=0x7ffff6960a18, script=script@entry=0x7ffff7e677e0, maybeFun=0x7ffff7e80040) at js/src/vm/SPSProfiler.cpp:146 #0 0x0000000000aaf8a9 in js::SPSProfiler::profileString (this=this@entry=0x7ffff6960a18, script=script@entry=0x7ffff7e677e0, maybeFun=0x7ffff7e80040) at js/src/vm/SPSProfiler.cpp:146 #1 0x0000000000aaf9b5 in js::SPSProfiler::enter (this=0x7ffff6960a18, cx=0x7ffff6907400, script=0x7ffff7e677e0, maybeFun=<optimized out>) at js/src/vm/SPSProfiler.cpp:193 #2 0x0000000000afbd04 in js::probes::EnterScript (cx=<optimized out>, script=<optimized out>, maybeFun=<optimized out>, fp=0x7ffff46710b8) at js/src/vm/Probes-inl.h:42 #3 0x0000000000ae9756 in js::InterpreterFrame::prologue (this=0x7ffff46710b8, cx=cx@entry=0x7ffff6907400) at js/src/vm/Stack.cpp:271 #4 0x0000000000a66645 in Interpret (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:1654 #5 0x0000000000a76347 in js::RunScript (cx=cx@entry=0x7ffff6907400, state=...) at js/src/vm/Interpreter.cpp:407 #6 0x0000000000a7666c in js::Invoke (cx=cx@entry=0x7ffff6907400, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:478 #7 0x0000000000a77249 in js::Invoke (cx=cx@entry=0x7ffff6907400, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:512 #8 0x00000000008ad044 in JS_CallFunction (cx=cx@entry=0x7ffff6907400, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2803 #9 0x0000000000a2ea9e in OOMTest (cx=0x7ffff6907400, argc=<optimized out>, vp=0x7ffff46710a0) at js/src/builtin/TestingFunctions.cpp:1165 #10 0x0000000000a7e002 in js::CallJSNative (cx=0x7ffff6907400, native=0xa2e800 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #22 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:6878 rax 0x0 0 rbx 0x7ffff6907400 140737330050048 rcx 0x7ffff6ca53cd 140737333842893 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffc160 140737488339296 rsp 0x7fffffffc0e0 140737488339168 r8 0x7ffff7fe0780 140737354008448 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffbea0 140737488338592 r11 0x7ffff6c27960 140737333328224 r12 0x7ffff46710b8 140737293783224 r13 0x7ffff7e677e0 140737352464352 r14 0x7ffff692fca0 140737330216096 r15 0x7ffff6960a18 140737330416152 rip 0xaaf8a9 <js::SPSProfiler::profileString(JSScript*, JSFunction*)+793> => 0xaaf8a9 <js::SPSProfiler::profileString(JSScript*, JSFunction*)+793>: movl $0x92,0x0 0xaaf8b4 <js::SPSProfiler::profileString(JSScript*, JSFunction*)+804>: callq 0x4a3f80 <abort()>

JSBugMon: Bisection requested, result: Due to skipped revisions, the first bad revision could be any of: changeset: https://hg.mozilla.org/mozilla-central/rev/a0dd5a83ba36 user: Jan de Mooij date: Thu Jul 24 11:56:43 2014 +0200 summary: Bug 1031529 part 2 - Remove JS_THREADSAFE #ifdefs everywhere. r=bhackett changeset: https://hg.mozilla.org/mozilla-central/rev/6426fef52f51 user: Jan de Mooij date: Thu Jul 24 11:56:45 2014 +0200 summary: Bug 1031529 part 3 - Step defining JS_THREADSAFE, remove --disable-threadsafe. r=glandium This iteration took 0.825 seconds to run.

This is probably older than the range described in comment 2, making the range inaccurate. Setting needinfo? from Jan as a fallback, since :djvj who was responsible for the SPS profiler stuff, is likely busy with other projects.

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 35b211eaad1f).

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/c46eebf3397e user: Jon Coppeard date: Tue Dec 22 13:29:43 2015 +0000 summary: Bug 1232672 - Use MOZ_WARN_UNUSED_RESULT to make hash table clients check for failure r=luke r=billm r=njn This iteration took 275.860 seconds to run.

Jon, is bug 1232672 a likely fix?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > Jon, is bug 1232672 a likely fix? Yes indeed, looking at the diff in this file: https://hg.mozilla.org/mozilla-central/diff/c46eebf3397e/js/src/vm/SPSProfiler.cpp Fixed by bug 1232672.

Too late for assertion fixes in 46.