The following testcase crashes on mozilla-central revision d719ac4bcbec (build with --enable-debug --enable-more-deterministic --32, run with --fuzzing-safe --no-threads --ion-eager): // jsfunfuzz-generated enableSPSProfilingWithSlowAssertions(); // Adapted from randomly chosen test: js/src/jit-test/tests/modules/eval-module-oom.js let x = {}; setModuleResolveHook(function(m, s) { return x[s]; }) let y = "export default 0; export function f(){}"; let z = "import x from 'a'"; oomTest(() => { x['a'] = parseModule(y); let b = x[''] = parseModule(z); b.declarationInstantiation(); throw 42; }) Backtrace: 0 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0040531b js::jit::IonBuilder::startTrackingOptimizations() + 459 (CompileInfo.h:168) 1 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x002b2ca1 js::jit::IonBuilder::jsop_getprop(js::PropertyName*) + 33 (IonBuilder.cpp:10982) 2 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x002a51cd js::jit::IonBuilder::inspectOpcode(JSOp) + 1117 (IonBuilder.cpp:2016) 3 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x002a269a js::jit::IonBuilder::traverseBytecode() + 634 (IonBuilder.cpp:1522) 4 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0029d417 js::jit::IonBuilder::build() + 2039 (IonBuilder.cpp:918) 5 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0027efa5 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool, bool) + 3141 (Ion.cpp:2195) 6 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0027df63 js::jit::CanEnter(JSContext*, js::RunState&) + 387 (Ion.cpp:2526) 7 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0081f5d2 js::RunScript(JSContext*, js::RunState&) + 274 (Interpreter.cpp:402) 8 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x00837daf js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 687 (Interpreter.cpp:493) 9 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527) 10 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x001d2e0f js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2735 (BaselineIC.cpp:6136) 11 ??? 0x01ddce2e 0 + 31313454 12 ??? 0x0310f4a0 0 + 51442848 13 ??? 0x01dd6c5c 0 + 31288412 14 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x001e336b EnterBaseline(JSContext*, js::jit::EnterJitData&) + 683 (BaselineJIT.cpp:149) 15 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x001e2ec9 js::jit::EnterBaselineMethod(JSContext*, js::RunState&) + 249 (BaselineJIT.cpp:185) 16 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0081f60f js::RunScript(JSContext*, js::RunState&) + 335 (Interpreter.cpp:415) 17 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x00837daf js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 687 (Interpreter.cpp:493) 18 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527) 19 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0058fb3c JS_CallFunction(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSFunction*>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) + 540 (jsapi.cpp:2856) 20 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x007fa2b9 OOMTest(JSContext*, unsigned int, JS::Value*) + 873 (TestingFunctions.cpp:1210) 21 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x008534dd js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 221 (jscntxtinlines.h:236) 22 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x00837dfc js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 764 (Interpreter.cpp:463) 23 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x0083827d js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) + 381 (Interpreter.cpp:527) 24 js-dbg-32-dm-clang-darwin-d719ac4bcbec 0x001d2e0f js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 2735 (BaselineIC.cpp:6136) 25 ??? 0x01ddce2e 0 + 31313454 26 ??? 0x03198db8 0 + 52006328 This seems to only reproduce on 32-bit shells.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fd69e842ed49 parent: 274349:6499724b05d0 user: Jon Coppeard date: Thu Nov 26 11:49:54 2015 +0000 summary: Bug 1227533 - Factor out dummy module resolve hook from tests r=shu Jon, is bug 1227533 a likely regressor?

JSBugMon: The testcase found in this bug no longer reproduces (tried revision e355cacefc88).

Not related to that bug, but thanks to the stack in comment 2 I can see what the problem is. IonBuilder::trackOptimizationAttemptUnchecked() calls setOptimizations(nullptr) on the BytecodeSite if we hit OOM, but that will cause subsequent calls to optimizations() to assert. Maybe we need to disable optimisation tracking if we hit OOM, or take account of the the possibility that this may be null.

So I can't reproduce the bug, but based on the stacks this looks like the correct fix. Can someone who was able to reproduce the bug try this patch to confirm fix?

Comment on attachment 8719965 [details] [diff] [review] Handle an OOM case in optimization tracking. Yes, this fix works. Thanks!

Shu-yu, is this ready for landing?