The following testcase crashes on mozilla-central revision cc903e3f6189 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager): oomTest(function () { new WebAssembly.Instance(new WebAssembly.Module(wasmTextToBinary(` (module (global (mut i64) (i64.const 0) ) (func) (global (mut f64) (f64.const 0) ) (func (result f64) get_global 1 ) (global (mut i64) (i64.const 0) ) (func i64.const 0 i64.const 0 i32.const 0 select call 1 set_global 1 set_global 2 ) (func (result i64) (param f64) (param i64) (param i32) get_local 2 i64.const 0 i64.const 0 i32.const 0 select drop i64.extend_s/i32 ) (func (result f32) (param i32) (param i64) (param f32) f64.const 0 f64.const 0 i32.const 0 select get_local 1 get_local 2 i32.const 0 i32.const 0 i32.const 0 select drop drop drop f32.demote/f64 f64.const 0 f64.const 0 i32.const 0 select set_global 1 i32.const 0 i32.const 0 i32.const 0 select i64.const 0 get_global 2 drop drop drop ) ) `))); }) Backtrace: #0 js_free (p=<error reading variable: Cannot access memory at address 0x20>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:257 #1 js::wasm::GlobalSegment::~GlobalSegment (this=0x7fd144616250, __in_chrg=<optimized out>) at js/src/wasm/WasmInstance.cpp:878 #2 js_delete<js::wasm::GlobalSegment> (p=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:383 #3 JS::DeletePolicy<js::wasm::GlobalSegment>::operator() (this=<optimized out>, ptr=0x7fd144616250) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/js/Utility.h:485 #4 mozilla::UniquePtr<js::wasm::GlobalSegment, JS::DeletePolicy<js::wasm::GlobalSegment> >::reset (aPtr=0x0, this=0x7fff2d04dfe0) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-cc903e3f6189/objdir-js/dist/include/mozilla/UniquePtr.h:343 /snip For detailed crash information, see attachment. js_free is on the stack, setting s-s as a start.

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ba901f83a5fd user: Luke Wagner date: Fri Jun 23 18:03:19 2017 -0500 summary: Bug 1374218 - Baldr: ensure alignment of TlsData (r=lth) Luke, is bug 1374218 a likely regressor?

D'oh, this code was implicitly relying before on js_free(nullptr) being a nop.

Crash at reliably-small offset from null, so I don't think this is s-s.

Comment on attachment 8882045 [details] [diff] [review] fix-oom Review of attachment 8882045 [details] [diff] [review]: ----------------------------------------------------------------- D'oh indeed.

Opening up as per comment 4.

Pushed by lwagner@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/d762b3e46153 Baldr: handle null field on OOM (r=lth)