The following testcase crashes on mozilla-central revision ec20b463c04f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-debug, run with --fuzzing-safe --no-threads): loadFile(` gczeal(15, false); function loadFile(lfVarx) {} `); loadFile(` for (var i=0; i < 1; ++class get {}.length.get) {} `); function loadFile(lfVarx) { eval(lfVarx); } Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000904977 in js::TypeSet::ObjectKey::get (obj=0x7ffff7e86bc0) at js/src/vm/TypeInference-inl.h:102 #0 0x0000000000904977 in js::TypeSet::ObjectKey::get (obj=0x7ffff7e86bc0) at js/src/vm/TypeInference-inl.h:102 #1 IsObjectKeyAboutToBeFinalized (keyp=<synthetic pointer>) at js/src/vm/TypeInference.cpp:804 #2 js::ConstraintTypeSet::sweep (this=0x7ffff136d2a8, zone=0x7ffff695b000, oom=...) at js/src/vm/TypeInference.cpp:4131 #3 0x00000000008fa546 in js::ObjectGroup::sweep (this=this@entry=0x7ffff7e69820, oom=0x7fffffffa858, oom@entry=0x0) at js/src/vm/TypeInference.cpp:4252 #4 0x00000000009edb73 in js::ObjectGroup::maybeSweep (oom=0x0, this=0x7ffff7e69820) at js/src/vm/ObjectGroup-inl.h:26 #5 js::ObjectGroup::flags (this=0x7ffff7e69820) at js/src/vm/ObjectGroup-inl.h:32 #6 js::ObjectGroup::basePropertyCount (this=0x7ffff7e69820) at js/src/vm/TypeInference-inl.h:983 #7 js::ObjectGroup::getPropertyCount (this=0x7ffff7e69820) at js/src/vm/TypeInference-inl.h:1054 #8 js::ObjectGroup::traceChildren (this=0x7ffff7e69820, trc=0x7fffffffa988) at js/src/gc/Marking.cpp:1186 #9 0x0000000000a062f8 in js::TraceChildren (kind=<optimized out>, thing=0x7ffff7e69820, trc=0x7fffffffa988) at js/src/gc/Tracer.cpp:126 #10 JS::TraceChildren (trc=trc@entry=0x7fffffffa988, thing=...) at js/src/gc/Tracer.cpp:111 #11 0x0000000000a063c1 in CheckHeapTracer::check (this=this@entry=0x7fffffffa980, lock=...) at js/src/gc/Verifier.cpp:511 #12 0x0000000000a06531 in js::gc::CheckHeapAfterMovingGC (rt=rt@entry=0x7ffff696f000, lock=...) at js/src/gc/Verifier.cpp:533 #13 0x0000000000a08ab1 in js::Nursery::collect (this=this@entry=0x7ffff696f450, rt=0x7ffff696f000, reason=reason@entry=JS::gcreason::FULL_STORE_BUFFER, pretenureGroups=pretenureGroups@entry=0x7fffffffaf00) at js/src/gc/Nursery.cpp:506 #14 0x000000000075488f in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff696f408, reason=reason@entry=JS::gcreason::FULL_STORE_BUFFER, pretenureGroups=pretenureGroups@entry=0x7fffffffaf00) at js/src/jsgc.cpp:6515 #15 0x0000000000754a4a in js::gc::GCRuntime::minorGC (this=this@entry=0x7ffff696f408, cx=cx@entry=0x7ffff6919800, reason=reason@entry=JS::gcreason::FULL_STORE_BUFFER) at js/src/jsgc.cpp:6533 #16 0x0000000000772b94 in js::gc::GCRuntime::gcIfRequested (this=this@entry=0x7ffff696f408, cx=cx@entry=0x7ffff6919800) at js/src/jsgc.cpp:6569 #17 0x00000000009dc90a in js::gc::GCRuntime::gcIfNeededPerAllocation (this=0x7ffff696f408, cx=cx@entry=0x7ffff6919800) at js/src/gc/Allocator.cpp:229 #18 0x00000000009e5479 in js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1> (kind=js::gc::AllocKind::OBJECT_LIMIT, cx=0x7ffff6919800, this=<optimized out>) at js/src/gc/Allocator.cpp:188 #19 js::Allocate<JSScript, (js::AllowGC)1> (cx=cx@entry=0x7ffff6919800) at js/src/gc/Allocator.cpp:137 #20 0x00000000007c2c97 in JSScript::Create (cx=cx@entry=0x7ffff6919800, enclosingScope=enclosingScope@entry=..., savedCallerFun=<optimized out>, options=..., sourceObject=..., sourceObject@entry=..., bufStart=23071, bufEnd=23077) at js/src/jsscript.cpp:2695 #21 0x00000000007c30d1 in CreateEmptyScriptForClone (cx=cx@entry=0x7ffff6919800, enclosingScope=..., src=src@entry=...) at js/src/jsscript.cpp:3674 #22 0x00000000007c5492 in js::CloneScriptIntoFunction (cx=cx@entry=0x7ffff6919800, enclosingScope=..., enclosingScope@entry=..., fun=fun@entry=..., src=..., src@entry=...) at js/src/jsscript.cpp:3705 #23 0x00000000008b289b in JSRuntime::cloneSelfHostedFunctionScript (this=<optimized out>, cx=cx@entry=0x7ffff6919800, name=..., name@entry=..., targetFun=targetFun@entry=...) at js/src/vm/SelfHosting.cpp:3107 #24 0x0000000000762d3a in JSFunction::createScriptForLazilyInterpretedFunction (cx=cx@entry=0x7ffff6919800, fun=fun@entry=...) at js/src/jsfun.cpp:1550 #25 0x0000000000763384 in JSFunction::getOrCreateScript (cx=0x7ffff6919800, this=<optimized out>) at js/src/jsfun.h:416 #26 JSFunction::getLength (this=<optimized out>, cx=cx@entry=0x7ffff6919800, length=length@entry=0x7fffffffb4c0) at js/src/jsfun.cpp:1374 #27 0x0000000000763bd3 in fun_resolve (cx=0x7ffff6919800, obj=..., id=..., resolvedp=0x7fffffffb580) at js/src/jsfun.cpp:503 #28 0x0000000000889604 in js::CallResolveOp (recursedp=<synthetic pointer>, propp=..., id=..., obj=..., cx=<optimized out>) at js/src/vm/NativeObject-inl.h:397 #29 js::LookupOwnPropertyInline<(js::AllowGC)1> (donep=<synthetic pointer>, propp=..., id=..., obj=..., cx=0x7ffff6919800) at js/src/vm/NativeObject-inl.h:489 #30 NativeGetPropertyInline<(js::AllowGC)1> (vp=..., nameLookup=NotNameLookup, id=..., receiver=..., obj=..., cx=0x7ffff6919800, cx@entry=0x188d500 <js::TypedArrayObject::classes>) at js/src/vm/NativeObject.cpp:2008 #31 js::NativeGetProperty (cx=cx@entry=0x7ffff6919800, obj=..., obj@entry=..., receiver=..., id=..., vp=..., vp@entry=...) at js/src/vm/NativeObject.cpp:2052 #32 0x0000000000860f8f in js::GetProperty (vp=..., id=..., receiver=..., obj=..., cx=0x7ffff6919800) at js/src/vm/NativeObject.h:1508 #33 js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff6919800) at js/src/jsobj.h:830 #34 js::GetProperty (cx=0x7ffff6919800, v=..., name=..., vp=...) at js/src/vm/Interpreter.cpp:4157 #35 0x000000000086696a in GetPropertyOperation (vp=..., lval=..., pc=<optimized out>, script=..., fp=<optimized out>, cx=<optimized out>) at js/src/vm/Interpreter.cpp:189 #36 Interpret (cx=0x7ffff6919800, state=...) at js/src/vm/Interpreter.cpp:2590 #37 0x0000000000873e6d in js::RunScript (cx=0x7ffff6919800, state=...) at js/src/vm/Interpreter.cpp:398 [...] #51 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7417 rax 0x7ffff7e86bc1 140737352592321 rbx 0x4b4b4b4b0fc00e80 5425512961856769664 rcx 0x7ffff696f000 140737330475008 rdx 0x7ffff7e86bc0 140737352592320 rsi 0x7ffff695b000 140737330393088 rdi 0x7fffffffa7b0 140737488332720 rbp 0x7ffff136d2a8 140737240289960 rsp 0x7fffffffa770 140737488332656 r8 0x7ffff136d2a0 140737240289952 r9 0x25fee99b 637462939 r10 0x110d 4365 r11 0x25fee99b 637462939 r12 0x7fffffffa7b0 140737488332720 r13 0x7ffff7e69820 140737352472608 r14 0x7ffff695b000 140737330393088 r15 0x7ffff511c2a0 140737304969888 rip 0x904977 <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+695> => 0x904977 <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+695>: testb $0x2,0x18(%rbx) 0x90497b <js::ConstraintTypeSet::sweep(JS::Zone*, js::AutoClearTypeInferenceStateOnOOM&)+699>: cmovne %rax,%rbx This looks like use-after-free to me, marking s-s and sec-critical.

JSBugMon: Bisection requested, failed due to error (try manually).

Jon, can you look at this? Presumably this is an existing issue exposed by the new zeal mode.

No longer reproduces with the patch from bug 1278832 applied.

Marking fixed in 49 and 50 to get this off our triage radar.