The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off): loadFile(""); loadFile(""); loadFile("Array.prototype.splice.call(1)"); function loadFile(lfVarx) { parseInt("1"); oomTest(function() { eval(lfVarx); }); } Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000519fa6 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at js/src/debug64/dist/include/js/Value.h:863 #0 0x0000000000519fa6 in OBJECT_TO_JSVAL_IMPL (obj=<optimized out>) at js/src/debug64/dist/include/js/Value.h:863 #1 0x000000000051bce9 in setObject (obj=..., this=<synthetic pointer>) at js/src/debug64/dist/include/js/Value.h:1098 #2 ObjectValue (obj=...) at js/src/debug64/dist/include/js/Value.h:1536 #3 ArraySpeciesCreate (cx=cx@entry=0x7ffff6908800, origArray=..., origArray@entry=..., length=length@entry=0, arr=..., arr@entry=...) at js/src/jsarray.cpp:936 #4 0x0000000000527f62 in js::array_splice_impl (cx=0x7ffff6908800, argc=0, vp=0x7ffff31f6198, returnValueIsUsed=<optimized out>) at js/src/jsarray.cpp:2510 #5 0x0000000000a908c2 in js::CallJSNative (cx=0x7ffff6908800, native=0x528610 <array_splice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #15 0x0000000000617535 in js::jit::DoCallFallback (cx=0x7ffff6908800, frame=0x7fffffffc178, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffc128, res=...) at js/src/jit/BaselineIC.cpp:6100 #16 0x00007ffff7ff1a1f in ?? () [...] #48 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffa940 140737488333120 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffa8d0 140737488333008 rsp 0x7fffffffa8d0 140737488333008 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffa690 140737488332432 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffffffa900 140737488333056 r13 0x7fffffffa920 140737488333088 r14 0x0 0 r15 0x7ffff6908800 140737330055168 rip 0x519fa6 <OBJECT_TO_JSVAL_IMPL(JSObject*)+70> => 0x519fa6 <OBJECT_TO_JSVAL_IMPL(JSObject*)+70>: movl $0x35f,0x0 0x519fb1 <OBJECT_TO_JSVAL_IMPL(JSObject*)+81>: callq 0x4ab6f0 <abort()>

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160407030451" and the hash "9f6afb62fe80ee168a90577957d1c53ad9fe8ecd". The "bad" changeset has the timestamp "20160407034945" and the hash "4d0f975a23119a61a6c8e5856125de2db5713c49". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=9f6afb62fe80ee168a90577957d1c53ad9fe8ecd&tochange=4d0f975a23119a61a6c8e5856125de2db5713c49

Setting needinfo as per previous comment. Related to Array.species

Thanks! This is a null dereference because of OOM. Added null check for GetSelfHostedFunction.

Comment on attachment 8742361 [details] [diff] [review] Check the return value of GetSelfHostedFunction in ArraySpeciesCreate. Review of attachment 8742361 [details] [diff] [review]: ----------------------------------------------------------------- Oops. Nice catch.

https://hg.mozilla.org/integration/mozilla-inbound/rev/d9c905c8e1d102de622cbcf17f1e8797f7f5fa7b Bug 1263865 - Check the return value of GetSelfHostedFunction in ArraySpeciesCreate. r=efaust