The following testcase crashes on mozilla-central revision ab8a76ac7b34 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-debug, run with --fuzzing-safe): du = new Debugger du.setupTraceLogger({ Scripts: true }); lfCodeBuffer = ""; loadFile(lfCodeBuffer); function loadFile(lfVarx) oomTest(Function(lfVarx)); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x081b375c in putNewInfallible<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1733 #0 0x081b375c in putNewInfallible<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1733 #1 putNew<unsigned int&, js::TraceLoggerEventPayload*&> (l=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:1749 #2 putNew<unsigned int&, js::TraceLoggerEventPayload*&> (v=<synthetic pointer>, k=@0xffffc610: 59, this=0xf7a821d8) at js/src/debug32/dist/include/js/HashTable.h:238 #3 js::TraceLoggerThread::getOrCreateEventPayload (this=this@entry=0xf7a82180, type=type@entry=TraceLogger_Scripts, filename=0xf7a8f040 "min.js line 9 > Function", lineno=lineno@entry=1, colno=colno@entry=0, ptr=ptr@entry=0xf4f5a1f0) at js/src/vm/TraceLogging.cpp:438 #4 0x081b38c4 in getOrCreateEventPayload (script=0xf4f5a1f0, type=TraceLogger_Scripts, this=0xf7a82180) at js/src/vm/TraceLogging.cpp:458 #5 js::TraceLoggerEvent::TraceLoggerEvent (this=0xffffc7ec, logger=0xf7a82180, type=TraceLogger_Scripts, script=0xf4f5a1f0) at js/src/vm/TraceLogging.cpp:970 #6 0x08712723 in Interpret (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:1664 #7 0x0872311f in js::RunScript (cx=cx@entry=0xf7a73020, state=...) at js/src/vm/Interpreter.cpp:426 #8 0x087233fa in js::InternalCallOrConstruct (cx=0xf7a73020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:498 #9 0x08723664 in InternalCall (cx=cx@entry=0xf7a73020, args=...) at js/src/vm/Interpreter.cpp:525 #10 0x08723714 in js::Call (cx=0xf7a73020, fval=fval@entry=..., thisv=thisv@entry=..., args=..., rval=rval@entry=...) at js/src/vm/Interpreter.cpp:544 #11 0x08576bf0 in JS_CallFunction (cx=cx@entry=0xf7a73020, obj=..., fun=fun@entry=..., args=..., rval=rval@entry=...) at js/src/jsapi.cpp:2876 #12 0x088768b6 in OOMTest (cx=0xf7a73020, argc=1, vp=0xf4c380b8) at js/src/builtin/TestingFunctions.cpp:1310 #13 0x08726bca in js::CallJSNative (cx=0xf7a73020, native=0x88765b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 [...] #27 main (argc=3, argv=0xffffd8e4, envp=0xffffd8f4) at js/src/shell/js.cpp:7465 eax 0x0 0 ebx 0x98b9774 160143220 ecx 0xf7e4488c -136034164 edx 0x0 0 esi 0xffffc630 -14800 edi 0xf7a82180 -139976320 ebp 0xffffc678 4294952568 esp 0xffffc5d0 4294952400 eip 0x81b375c <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2204> => 0x81b375c <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2204>: movl $0x6c5,0x0 0x81b3766 <js::TraceLoggerThread::getOrCreateEventPayload(TraceLoggerTextId, char const*, unsigned int, unsigned int, void const*)+2214>: call 0x8109470 <abort()>