The following testcase crashes on mozilla-central revision 4c987b7ed54a (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion --wasm-always-baseline): See attachment. Backtrace: #0 0x0000000000cdcc70 in js::wasm::CodeRange::CodeRange (this=<optimized out>, funcIndex=<optimized out>, funcLineOrBytecode=<optimized out>, offsets=...) at js/src/wasm/WasmCode.cpp:338 #1 0x0000000000d5fd4d in mozilla::detail::VectorImpl<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy, true>::new_<unsigned int, unsigned int, js::wasm::FuncOffsets&>(js::wasm::CodeRange*, unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (aDst=<optimized out>) at /home/gkwubu/shell-cache/js-dbg-64-linux-4c987b7ed54a/objdir-js/dist/include/mozilla/Vector.h:171 #2 mozilla::Vector<js::wasm::CodeRange, 0ul, js::SystemAllocPolicy>::emplaceBack<unsigned int, unsigned int, js::wasm::FuncOffsets&>(unsigned int&&, unsigned int&&, js::wasm::FuncOffsets&) (this=<optimized out>) at /home/gkwubu/shell-cache/js-dbg-64-linux-4c987b7ed54a/objdir-js/dist/include/mozilla/Vector.h:697 #3 js::wasm::ModuleGenerator::finishTask (this=this@entry=0x7fffd3daa130, task=0x7f90c37ae000) at js/src/wasm/WasmGenerator.cpp:456 #4 0x0000000000d78c37 in js::wasm::ModuleGenerator::launchBatchCompile (this=this@entry=0x7fffd3daa130) at js/src/wasm/WasmGenerator.cpp:944 /snip For detailed crash information, see attachment.

This also reproduces on mozilla-inbound rev 2f5e363685af which contains the fixes for bug 1349871 and bug 1350143.

Bisection is in progress but setting needinfo? from Benjamin as a start.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/4119fba22f7f user: Dan Gohman date: Fri Sep 23 09:13:15 2016 -0500 summary: Bug 1287220 - Baldr: update to binary version 0xc (r=luke) Not sure if this is entirely accurate.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #3) > This also reproduces on mozilla-inbound rev 2f5e363685af which contains the > fixes for bug 1349871 and bug 1350143. Strange, it is actually a duplicate of bug 1349871. Note the fix in 1349871 landed on autoland then central, so it wasn't on inbound until a merge from central-to-inbound. Could that be the reason of the confusion here?