The following testcase crashes on mozilla-central revision 1b065ffd8a53 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu --enable-simulator=arm, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off): function f(arr) {} function test(out) f(arr); var obj = {}; try { test(obj); } catch (lfVare) {} loadFile(` function f() { this.e = function() {}; expect.defineProperty(this, test(() => Number.prototype.i.call(-Infinity, 555), i), {} ); } new f(); `); function loadFile(lfVarx) { try { oomTest(new Function(lfVarx)); } catch (lfVare) {} } Backtrace: received signal SIGSEGV, Segmentation fault. 0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795 #0 0x08308f8e in js::jit::IonBuilder::inlineScriptedCall (this=0xffffa224, callInfo=..., target=0xf5382c20) at js/src/jit/IonBuilder.cpp:3795 #1 0x083090c4 in js::jit::IonBuilder::inlineSingleCall (this=0xffffa224, callInfo=..., targetArg=0xf5382c20) at js/src/jit/IonBuilder.cpp:4319 #2 0x0830a875 in js::jit::IonBuilder::inlineCallsite (this=0xffffa224, targets=..., callInfo=...) at js/src/jit/IonBuilder.cpp:4373 #3 0x0830abed in js::jit::IonBuilder::jsop_call (this=0xffffa224, argc=2, constructing=false, ignoresReturnValue=false) at js/src/jit/IonBuilder.cpp:5375 #4 0x083100f6 in js::jit::IonBuilder::inspectOpcode (this=0xffffa224, op=JSOP_CALL) at js/src/jit/IonBuilder.cpp:2041 #5 0x0831133c in js::jit::IonBuilder::visitBlock (this=0xffffa224, cfgblock=0xf798f29c, mblock=0xf79b82e0) at js/src/jit/IonBuilder.cpp:1539 #6 0x08306ff1 in js::jit::IonBuilder::traverseBytecode (this=0xffffa224) at js/src/jit/IonBuilder.cpp:1456 #7 0x08307c54 in js::jit::IonBuilder::build (this=0xffffa224) at js/src/jit/IonBuilder.cpp:846 #8 0x083159da in js::jit::AnalyzeNewScriptDefiniteProperties (cx=0xf791d000, fun=..., group=0xf536a538, baseobj=..., initializerList=0xffffa568) at js/src/jit/IonAnalysis.cpp:4230 #9 0x088655b2 in js::TypeNewScript::maybeAnalyze (this=0xf519cca0, cx=0xf791d000, group=0xf536a538, regenerate=0x0, force=true) at js/src/vm/TypeInference.cpp:3861 #10 0x08074410 in js::jit::IonCompile (cx=cx@entry=0xf791d000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x0, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2198 #11 0x0831a2cd in js::jit::Compile (cx=cx@entry=0xf791d000, script=script@entry=..., osrFrame=osrFrame@entry=0x0, osrPc=0x0, forceRecompile=false) at js/src/jit/Ion.cpp:2448 #12 0x0831a450 in js::jit::CanEnter (cx=0xf791d000, state=...) at js/src/jit/Ion.cpp:2545 #13 0x081731d7 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:386 #14 0x0817374d in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::CONSTRUCT) at js/src/vm/Interpreter.cpp:488 #15 0x081745ea in InternalConstruct (cx=0xf791d000, cx@entry=0xd7792b00, args=...) at js/src/vm/Interpreter.cpp:563 #16 0x081747d3 in js::ConstructFromStack (cx=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:599 #17 0x0823b967 in js::jit::DoCallFallback (cx=0xf791d000, frame=0xf55ffc98, stub_=0xf79b6030, argc=0, vp=0xf55ffc50, res=...) at js/src/jit/BaselineIC.cpp:2530 #18 0x084fa1f5 in js::jit::Simulator::softwareInterrupt (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:2624 #19 0x084fa5c6 in js::jit::Simulator::decodeType7 (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:3784 #20 0x084fbd42 in js::jit::Simulator::instructionDecode (this=0xf7974000, instr=0xf5077594) at js/src/jit/arm/Simulator-arm.cpp:4761 #21 0x084fc294 in js::jit::Simulator::execute<false> (this=0xf7974000) at js/src/jit/arm/Simulator-arm.cpp:4831 #22 js::jit::Simulator::callInternal (this=0xf7974000, entry=0x3db3da38 "\360O-\351\004\320M\342\020\212-\355\r\200\240\341h\220\235\345\r\260\240\341t\240\235", <incomplete sequence \345>) at js/src/jit/arm/Simulator-arm.cpp:4916 #23 0x084fc611 in js::jit::Simulator::call (this=<optimized out>, entry=<optimized out>, argument_count=<optimized out>) at js/src/jit/arm/Simulator-arm.cpp:4999 #24 0x0821a0c2 in EnterBaseline (cx=cx@entry=0xf791d000, data=...) at js/src/jit/BaselineJIT.cpp:162 #25 0x082345dd in js::jit::EnterBaselineMethod (cx=0xf791d000, state=...) at js/src/jit/BaselineJIT.cpp:200 #26 0x08173322 in js::RunScript (cx=0xf791d000, state=...) at js/src/vm/Interpreter.cpp:400 #27 0x081735f8 in js::InternalCallOrConstruct (cx=0xf791d000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488 #28 0x081738af in InternalCall (cx=cx@entry=0xf791d000, args=...) at js/src/vm/Interpreter.cpp:515 #29 0x08173a4a in js::Call (cx=0xf791d000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534 #30 0x08566272 in JS_CallFunction (cx=0xf791d000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2907 #31 0x084835e9 in OOMTest (cx=0xf791d000, argc=1, vp=0xf55ffd88) at js/src/builtin/TestingFunctions.cpp:1549 [...] #67 main (argc=5, argv=0xffffcdd4, envp=0xffffcdec) at js/src/shell/js.cpp:8515 eax 0x0 0 ebx 0xffffa224 -24028 ecx 0xf7da4864 -136689564 edx 0x0 0 esi 0xffff9dbc -25156 edi 0xffff99a4 -26204 ebp 0xffff9c38 4294941752 esp 0xffff9900 4294940928 eip 0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254> => 0x8308f8e <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2254>: movl $0x0,0x0 0x8308f98 <js::jit::IonBuilder::inlineScriptedCall(js::jit::CallInfo&, JSFunction*)+2264>: ud2

autobisectjs shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/261ebf2e8bbd user: Tom Schuster date: Wed Nov 15 16:19:37 2017 +0100 summary: Bug 1319512 - Disable expression closures on Nightly. r=jandem Tom/Jan, is bug 1319512 a likely fix?

I think the test case just broke, because we disabaled function expression. You can try if this still reproduces: function f(arr) {} function test(out) { f(arr); } var obj = {}; try { test(obj); } catch (lfVare) {} loadFile(` function f() { this.e = function() {}; expect.defineProperty(this, test(() => Number.prototype.i.call(-Infinity, 555), i), {} ); } new f(); `); function loadFile(lfVarx) { try { oomTest(new Function(lfVarx)); } catch (lfVare) {} }

With the testcase in comment 3, autobisectjs shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/0eca45c6fb2d user: Nicolas B. Pierron date: Fri Dec 23 15:54:10 2016 +0000 summary: Bug 1286505 part 2 - Use Result<V,E> to report errors within IonBuilder. r=h4writer However, it no longer seems to reproduce on m-c tip rev 768eef11f5ff either, continuing to dig in...

autobisectjs shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/e6be8071c22b user: Nicolas B. Pierron date: Fri Nov 17 13:21:08 2017 +0000 summary: Bug 1416794 - InliningDecision_Error is always reported with a pending exception, use AbortReason_Error instead of _Alloc. r=jandem Nicolas, is bug 1416794 a likely fix?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #5) > Nicolas, is bug 1416794 a likely fix? This sounds very likely.