The following testcase crashes on mozilla-central revision 564e82f0f289 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --ion-offthread-compile=off --ion-check-range-analysis --baseline-eager): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. js::jit::JitFrameIterator::operator++ (this=this@entry=0x7fffffff95a0) at js/src/jit/JitFrameIterator.cpp:172 #0 js::jit::JitFrameIterator::operator++ (this=this@entry=0x7fffffff95a0) at js/src/jit/JitFrameIterator.cpp:172 #1 0x00000000006b386d in InvalidateActivation (fop=fop@entry=0x7ffff694a080, activations=..., invalidateAll=invalidateAll@entry=true) at js/src/jit/Ion.cpp:2974 #2 0x00000000006b4803 in js::jit::InvalidateAll (fop=fop@entry=0x7ffff694a080, zone=zone@entry=0x7ffff6991000) at js/src/jit/Ion.cpp:3129 #3 0x0000000000e7aa9b in JS::Zone::discardJitCode (this=0x7ffff6991000, fop=0x7ffff694a080, discardBaselineCode=discardBaselineCode@entry=false) at js/src/gc/Zone.cpp:207 #4 0x0000000000c9855f in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7fffffff9820, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4623 #5 0x0000000000cf91e1 in mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::reset (this=0x7fffffff9820) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Maybe.h:446 #6 0x0000000000c98a3a in mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::~Maybe (this=0x7fffffff9820, __in_chrg=<optimized out>) at /srv/jenkins/jobs/mozilla-central-build-jsshell/workspace/arch/64/compiler/gcc/sanitizer/none/type/debug/dist/include/mozilla/Maybe.h:100 #7 js::ObjectGroup::sweep (this=this@entry=0x7ffff528b280, oom=0x7fffffff9820, oom@entry=0x0) at js/src/vm/TypeInference.cpp:4397 #8 0x000000000050a7c3 in js::ObjectGroup::maybeSweep (oom=0x0, this=0x7ffff528b280) at js/src/vm/ObjectGroup-inl.h:26 #9 js::ObjectGroup::flags (this=0x7ffff528b280) at js/src/vm/ObjectGroup-inl.h:32 #10 js::ObjectGroup::unknownProperties (this=0x7ffff528b280) at js/src/vm/ObjectGroup-inl.h:67 #11 0x000000000050acf3 in js::TrackPropertyTypes (obj=0x7ffff528e060, id=...) at js/src/vm/TypeInference-inl.h:372 #12 0x000000000086bab9 in js::HasTypePropertyId (type=..., id=..., obj=0x7ffff528e060) at js/src/vm/TypeInference-inl.h:429 #13 js::HasTypePropertyId (value=..., id=..., obj=0x7ffff528e060) at js/src/vm/TypeInference-inl.h:438 #14 js::jit::SetNativeDataProperty<true> (cx=<optimized out>, obj=<optimized out>, name=<optimized out>, val=0x7fffffff9980) at js/src/jit/VMFunctions.cpp:1708 #15 0x00003b56f89f1584 in ?? () [...] #22 0x0000000000000000 in ?? () rax 0x6 6 rbx 0x7fffffff95a0 140737488328096 rcx 0x0 0 rdx 0x0 0 rsi 0x115014e 18153806 rdi 0x7fffffff95a0 140737488328096 rbp 0x7fffffff9640 140737488328256 rsp 0x7fffffff9548 140737488328008 r8 0x0 0 r9 0x1f 31 r10 0xb 11 r11 0xd177c60d 3514287629 r12 0x12013f4 18879476 r13 0x1 1 r14 0x7ffff694a080 140737330323584 r15 0x7ffff695e058 140737330405464 rip 0x738629 <js::jit::JitFrameIterator::operator++()+9> => 0x738629 <js::jit::JitFrameIterator::operator++()+9>: mov 0x8(%rdx),%rax 0x73862d <js::jit::JitFrameIterator::operator++()+13>: movq $0x0,0x20(%rdi) I'm marking this s-s because the bucket also has several crashes with random memory addresses. This is a long standing issue, but I was finally able to come up with a reliable testcase even though it is hard to reduce it further.

Hm this looks like bug 1384121. I'll try to get back to that soon...

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 04b6be50a252).

Did the patch for 1384121 fix this?

(In reply to Naveed Ihsanullah [:naveed] from comment #4) > Did the patch for 1384121 fix this? Yep it will.