The following testcase crashes on mozilla-central revision 77cead2cd203 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --target=i686-pc-linux-gnu --disable-tests --enable-simulator=arm --enable-debug, run with --fuzzing-safe --thread-count=2): oomTest(function() { eval(` function evalWithCache(code, ctx) { ctx = Object.create(ctx, {}); code = code instanceof Object ? code : cacheEntry(code); ctx.global = newGlobal({ cloneSingletons: true }); var res1 = evaluate(code, Object.create(ctx, {saveBytecode: { value: true } })); var res2 = evaluate(code, Object.create(ctx, {loadBytecode: { value: true }, saveBytecode: { value: true } })); } test = (function () { function f(x) {} return f.toSource() + "; f(true)"; })(); evalWithCache(test, { assertEqBytecode: true, assertEqResult : true }); `); }); Backtrace: Program received signal SIGSEGV, Segmentation fault. XDRRelazificationInfo<(js::XDRMode)1> (lazy=..., enclosingScope=..., script=..., fun=..., xdr=0xffffad10) at js/src/jsscript.cpp:557 #0 XDRRelazificationInfo<(js::XDRMode)1> (lazy=..., enclosingScope=..., script=..., fun=..., xdr=0xffffad10) at js/src/jsscript.cpp:557 #1 js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScopeArg=enclosingScopeArg@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:1211 #2 0x085aa13a in js::XDRInterpretedFunction<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScope=enclosingScope@entry=..., enclosingScript=enclosingScript@entry=..., objp=objp@entry=...) at js/src/jsfun.cpp:630 #3 0x085f4346 in js::XDRScript<(js::XDRMode)1> (xdr=xdr@entry=0xffffad10, enclosingScopeArg=enclosingScopeArg@entry=..., enclosingScript=..., enclosingScript@entry=..., fun=..., fun@entry=..., scriptp=..., scriptp@entry=...) at js/src/jsscript.cpp:1152 #4 0x0883948d in js::XDRState<(js::XDRMode)1>::codeScript (this=this@entry=0xffffad10, scriptp=scriptp@entry=...) at js/src/vm/Xdr.cpp:168 #5 0x08524376 in JS_DecodeScript (cx=0xf7a74020, data=0xeca54000, length=342) at js/src/jsapi.cpp:6457 #6 0x080f24fd in Evaluate (cx=0xf7a74020, argc=2, vp=0xf542d128) at js/src/shell/js.cpp:1478 #7 0x086f8a4a in js::CallJSNative (cx=0xf7a74020, native=0x80f17d0 <Evaluate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235 #8 0x086f5ce4 in js::InternalCallOrConstruct (cx=0xf7a74020, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:480 #9 0x086f6094 in InternalCall (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:525 #10 0x086e509b in CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:531 #11 Interpret (cx=cx@entry=0xf7a74020, state=...) at js/src/vm/Interpreter.cpp:2831 #12 0x086f5a0f in js::RunScript (cx=0xf7a74020, state=...) at js/src/vm/Interpreter.cpp:426 #13 0x086f797f in js::ExecuteKernel (cx=0xf7a74020, script=..., script@entry=..., scopeChainArg=..., newTargetValue=..., evalInFrame=evalInFrame@entry=..., result=result@entry=0xf59ffe80) at js/src/vm/Interpreter.cpp:704 #14 0x0849776d in js::DirectEvalStringFromIon (cx=cx@entry=0xf7a74020, scopeObj=scopeObj@entry=..., callerScript=callerScript@entry=..., newTargetValue=newTargetValue@entry=..., str=str@entry=..., pc=pc@entry=0xf7a98629 "{", vp=...) at js/src/builtin/Eval.cpp:408 #15 0x084fb19d in js::jit::Simulator::softwareInterrupt (this=0xf7a1c000, instr=0xf553b264) at js/src/jit/arm/Simulator-arm.cpp:2388 [...] #28 0x088487bc in OOMTest (cx=0xf7a74020, argc=1, vp=0xf542d058) at js/src/builtin/TestingFunctions.cpp:1310 [...] #43 main (argc=4, argv=0xffffccd4, envp=0xffffcce8) at js/src/shell/js.cpp:7483 eax 0x0 0 ebx 0x988cffc 159961084 ecx 0x0 0 edx 0x0 0 esi 0x0 0 edi 0x0 0 ebp 0xffffa9c8 4294945224 esp 0xffffa7b0 4294944688 eip 0x85f4b91 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7713> => 0x85f4b91 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7713>: movzbl 0x1f(%eax),%edx 0x85f4b95 <js::XDRScript<(js::XDRMode)1>(js::XDRState<(js::XDRMode)1>*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JSFunction*>, JS::MutableHandle<JSScript*>)+7717>: shl $0x4,%ecx

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

I was unable to reproduce this issue on x64. I will double check with a arm simulator build, as soon as I get a working toolchain again, but I think this issue most likely got fix we recent XDR clean-up made by Ted, or sooner. If we had any issue, during the decoding, it was related to the fact that we were throwing an exception when creating a LazyScript, and reporting it wrongly in the Evaluate function.

(In reply to Nicolas B. Pierron [:nbp] from comment #3) > I was unable to reproduce this issue on x64. I will double check with a arm > simulator build, as soon as I get a working toolchain again, but I think > this issue most likely got fix we recent XDR clean-up made by Ted, or sooner. I confirm that I cannot reproduce it with the arm simulator. I will land the test case later.

I cannot add this test case to the test suite for timeout reasons. I was unable to reproduce any issue locally. https://treeherder.mozilla.org/#/jobs?repo=try&revision=39e3ff32e9c588cc4e3516e1cf35826dda48fca6