The following testcase crashes on mozilla-central revision ec20b463c04f (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --no-threads): function assertThrowsInstanceOf() {} gczeal(15) try { gczeal(10, 2) } catch (Atomics) {} for (define of[__defineSetter__]) { let nonCallable = [{}] for (let value of nonCallable) assertThrowsInstanceOf(TypeError) key = { [Symbol]() {} } } Backtrace: Program received signal SIGSEGV, Segmentation fault. js::PreliminaryObjectArray::sweep (this=<optimized out>) at js/src/vm/TypeInference.cpp:3408 #0 js::PreliminaryObjectArray::sweep (this=<optimized out>) at js/src/vm/TypeInference.cpp:3408 #1 0x0000000000b61f88 in js::ObjectGroup::sweep (this=this@entry=0x7ffff7e9e0a0, oom=oom@entry=0x7fffffffd050) at js/src/vm/TypeInference.cpp:4215 #2 0x000000000092505b in js::ObjectGroup::maybeSweep (oom=0x7fffffffd050, this=0x7ffff7e9e0a0) at js/src/vm/ObjectGroup-inl.h:26 #3 SweepThing (oom=0x7fffffffd050, group=<optimized out>) at js/src/jsgc.cpp:5261 #4 SweepArenaList<js::ObjectGroup, js::AutoClearTypeInferenceStateOnOOM*> (sliceBudget=..., arenasToSweep=<optimized out>) at js/src/jsgc.cpp:5270 #5 js::gc::GCRuntime::sweepPhase (this=this@entry=0x7ffff6965440, sliceBudget=..., lock=...) at js/src/jsgc.cpp:5315 #6 0x000000000092eefe in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff6965440, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, lock=...) at js/src/jsgc.cpp:5948 #7 0x0000000000930153 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff6965440, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6171 #8 0x00000000009306e8 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff6965440, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6279 #9 0x0000000000930913 in js::gc::GCRuntime::gc (this=this@entry=0x7ffff6965440, gckind=gckind@entry=GC_NORMAL, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at js/src/jsgc.cpp:6339 #10 0x00000000008d76ac in js::DestroyContext (cx=0x7ffff691ac00, mode=js::DCM_FORCE_GC) at js/src/jscntxt.cpp:184 #11 0x000000000048c2cb in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7431 rax 0xfffe4b4b4b4b4b4b -480163195565237 rbx 0x7ffff6937a88 140737330248328 rcx 0xe850 59472 rdx 0x10001 65537 rsi 0x1 1 rdi 0x0 0 rbp 0x7fffffffcf20 140737488342816 rsp 0x7fffffffcef0 140737488342768 r8 0x1f 31 r9 0x7ffff52dc2b8 140737306804920 r10 0x40 64 r11 0x7ffff52014e8 140737305908456 r12 0x1 1 r13 0x7ffff7e74280 140737352516224 r14 0x7ffff6998000 140737330642944 r15 0x7ffff7e9e0a0 140737352687776 rip 0xb52ca1 <js::PreliminaryObjectArray::sweep()+65> => 0xb52ca1 <js::PreliminaryObjectArray::sweep()+65>: mov 0x10(%rax),%rdx 0xb52ca5 <js::PreliminaryObjectArray::sweep()+69>: mov 0x50(%rdx),%rdi This and other crashes with similar signatures all show signs of use-after-free so marking s-s and sec-critical. Also marking as fuzzblocker because the amount of GC-related signatures I'm seeing is exploding.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/69ea294ab4b6 user: Jon Coppeard date: Mon May 16 14:23:09 2016 +0100 summary: Bug 1272604 - Add a zeal mode to check the heap after a moving GC r=terrence This iteration took 0.936 seconds to run.

Jon, could you look at this? Thanks. Presumably this is an existing issue that the new zeal mode detected.

Oh this is my fault. The way the heap tracing zeal works breaks IsAboutToBeFinalized beause it happens while the heap is in the minor collecting state.

Make sure the heap tracing happens with the heap in the trace state so as not to confuse IsAboutToBeFinalized.

Not s-s because it's caused by GC zeal.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/68b7b99fa063 Make sure heap check zeal mode traces the heap outside of a GC r=terrence

JSBugMon: This bug has been automatically verified fixed.

Please also nominate this for mozilla-aurora. It would fix *sweep* crashes when fuzzing on aurora as well.

Comment on attachment 8762073 [details] [diff] [review] bug1278832-trace-heap-outside-minor-gc Approval Request Comment [Feature/regressing bug #]: Bug 1272604 [User impact if declined]: None, requested by fuzzers. [Describe test coverage new/current, TreeHerder]: On m-c for last three days. [Risks and why]: Low [String/UUID change made/needed]: None

Comment on attachment 8762073 [details] [diff] [review] bug1278832-trace-heap-outside-minor-gc Crash fix for regression from 49, ok to uplift.

JSBugMon: This bug has been automatically verified fixed on Fx49

There are still a few reports with this signature on aurora in the last 3 days (after uplift to aurora): https://crash-stats.mozilla.com/signature/?date=%3E2016-07-04&version=49.0a2&signature=js%3A%3APreliminaryObjectArray%3A%3Asweep&_columns=date&_columns=product&_columns=version&_columns=build_id&_columns=platform&_columns=reason&_columns=address&_sort=-date&page=1#reports Is it really fixed? Does this need a followup bug? thanks.

(In reply to Liz Henry (:lizzard) (needinfo? me) from comment #15) Anything showing up on crashstats is a different bug, since this one required gczeal(15) to trigger and that's not present in release builds of Firefox. I guess these should be tracked through bug 1212356.