The following testcase crashes on mozilla-central revision 3a11a57b43aa (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --arm-hwcap=vfp): function parseAsmJS() { eval(`function m(stdlib) { "use asm"; var abs = stdlib.Math.abs; function f(d) { d = +d; return (~~(5.0 - +abs(d)))|7 * 1 ; } return f; }`); } oomTest(parseAsmJS); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0842f65a in js::jit::Instruction::extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.h:1987 #0 0x0842f65a in js::jit::Instruction::extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.h:1987 #1 0x084305c9 in extractCond (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.cpp:3119 #2 InstIsGuard (inst=0xf7fcf09c, ph=<optimized out>) at js/src/jit/arm/Assembler-arm.cpp:3113 #3 0x08435360 in js::jit::Instruction::skipPool (this=0xf7fcf09c) at js/src/jit/arm/Assembler-arm.cpp:3157 #4 0x0843b3eb in InstructionIterator (i_=0xf7fcf09c, this=0xffffa3a0) at js/src/jit/arm/Assembler-arm.cpp:3337 #5 js::jit::Assembler::PatchDataWithValueCheck (label=..., newValue=..., expectedValue=expectedValue@entry=...) at js/src/jit/arm/Assembler-arm.cpp:3063 #6 0x0823c94f in js::wasm::Module::staticallyLink (this=this@entry=0xf7a89320, cx=cx@entry=0xf7a70020, linkData=...) at js/src/asmjs/WasmModule.cpp:1053 #7 0x081ec93d in staticallyLink (cx=0xf7a70020, this=0xf7a89320) at js/src/asmjs/AsmJS.cpp:430 #8 js::CompileAsmJS (cx=0xf7a70020, parser=..., stmtList=stmtList@entry=0xf7a7e638, validated=validated@entry=0xffffa680) at js/src/asmjs/AsmJS.cpp:8300 [...] #50 main (argc=3, argv=0xffffd8d4, envp=0xffffd8e4) at js/src/shell/js.cpp:7250 eax 0x0 0 ebx 0x9858430 159745072 ecx 0xf7e4488c -136034164 edx 0x0 0 esi 0xf7fcf09c -134418276 edi 0xf7a5a824 -140138460 ebp 0xffffa338 4294943544 esp 0xffffa320 4294943520 eip 0x842f65a <js::jit::Instruction::extractCond()+42> => 0x842f65a <js::jit::Instruction::extractCond()+42>: movl $0x7c3,0x0 0x842f664 <js::jit::Instruction::extractCond()+52>: call 0x80fd280 <abort()>

I've been looking at this for an hour, what happens is that there's a call to SymbolicAddress::ToInt32 in OOL code. Before patching in staticallyLink, the to-be-patched value must be set to -1. That value being a numerical value, and we're testing with arm vfp, we're using a constant pool. Constant pools under ARM work in 2 steps: 1. write hints, 2. flush the pool into the actual numbers. The assertion triggered means that we have written the hint but haven't actually flushed the pool. However, how can that be, as we have this call to flush() at the end of CodeGenerator::generateAsmJS, now?

Ha, found it: the flush() code itself can oom, so we need to check that we didn't reach OOM after flushing.

Review commit: https://reviewboard.mozilla.org/r/39765/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/39765/