The following testcase crashes on mozilla-central revision c9a70b64f2fa (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): loadFile(` function assertEquivalent(t2) (true()) try { h } catch (e) {} function f() { function f() { switch (f) {} assertEquivalent(); } return f; } for (var j = 0; j < 5; j) (function() f()())() `); function loadFile(lfVarx) { oomTest(Function(lfVarx)) } Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000045f610 in JSFunction::hasUncompiledScript (this=<optimized out>) at js/src/jsfun.h:456 #0 0x000000000045f610 in JSFunction::hasUncompiledScript (this=<optimized out>) at js/src/jsfun.h:456 #1 JSFunction::nonLazyScript (this=<optimized out>) at js/src/jsfun.h:461 #2 0x0000000000b517b9 in js::ScopeIter::settle (this=this@entry=0x7fffffffac10) at js/src/vm/ScopeObject.cpp:1484 #3 0x0000000000b51e3a in js::ScopeIter::operator++ (this=this@entry=0x7fffffffac10) at js/src/vm/ScopeObject.cpp:1515 #4 0x0000000000ac1f6b in js::UnwindAllScopesInFrame (cx=cx@entry=0x7ffff6965000, si=...) at js/src/vm/Interpreter.cpp:1025 #5 0x0000000000839f23 in js::jit::DebugEpilogue (cx=cx@entry=0x7ffff6965000, frame=frame@entry=0x7fffffffb4a8, pc=0x7ffff69b14a5 ":", ok=<optimized out>) at js/src/jit/VMFunctions.cpp:708 #6 0x000000000071b6ac in js::jit::OnLeaveBaselineFrame (frameOk=<optimized out>, rfe=<optimized out>, pc=<optimized out>, frame=..., cx=<optimized out>) at js/src/jit/JitFrames.cpp:463 #7 js::jit::HandleExceptionBaseline (pc=0x7ffff69b14a5 ":", rfe=<optimized out>, frame=..., cx=0x7ffff6965000) at js/src/jit/JitFrames.cpp:696 #8 js::jit::HandleException (rfe=<optimized out>) at js/src/jit/JitFrames.cpp:837 #9 0x00007ffff7fe6646 in ?? () [...] #25 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffac10 140737488333840 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffaad0 140737488333520 rsp 0x7fffffffaad0 140737488333520 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fdc740 140737353992000 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffffffac48 140737488333896 r13 0x7ffff7e95080 140737352650880 r14 0x1ca78e0 30046432 r15 0x1ca7ac0 30046912 rip 0x45f610 <JSFunction::nonLazyScript() const+48> => 0x45f610 <JSFunction::nonLazyScript() const+48>: movl $0x0,0x0 0x45f61b <JSFunction::nonLazyScript() const+59>: ud2

maybe related to bug 1236098 ? we see this assertion also on some live sites with bughunter

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ae61f4fcb292 user: Nicolas B. Pierron date: Tue May 17 17:15:52 2016 +0000 summary: Bug 1261826 part 8 - Add JSOP_JUMPTARGET opcode. r=jandem,jorendorff,shu This iteration took 0.811 seconds to run.

(In reply to Carsten Book [:Tomcat] from comment #1) > maybe related to bug 1236098 ? we see this assertion also on some live sites > with bughunter This is likely. I traced this issue, from the assert, to the bailout, and back to the codegen (thanks to rr). The "scope_" value used in js::ScopeIter::settle, comes from a baseline frame. This value is the result of a bailout, at a MGetNameCache (id 24) OSI Point, and is equal to the value returned by MFunctionEnvironment (id 23). This instructions returns the environment of the MLambda (id 15), thus its MCallObject (id 12). From the "scope_", we look for the "callee()", which is set by the MStoreFixedSlot (id 14), with the value returned by the MLoadFixedSlot (id 6). This corresponds to a GetAliasedVar {hops = 0; slot = 3}. This MIR Graph represents the compiled code of the anonymous lambda function which is in the for-loop, thus this GetAliasedVar is supposed to be for the name "f". The assertion fails because the hasScript() function returns false. I tracked down the "flags_" field of it, and it got created in generated assembly code, probably by some MLambda of the generated function. The problem is that the flag_ is still set to INTERPRETED_LAZY while we expect it to be INTERPRETED. The problem is that this assertion assumes that if we are evaluating the callee() of the scope chain, we would have a delazified function. Which is a sound assumption knowing that we inlined its body in Ion.