The following testcase crashes on mozilla-central revision d10c97627b51 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager): var lfLogBuffer = ` evalInWorker(\` for (let i = 0; i < 30; i++) { relazifyFunctions(); } \`); `; lfLogBuffer = lfLogBuffer.split('\n'); var lfCodeBuffer = ""; while (true) { var line = lfLogBuffer.shift(); if (line == null) { loadFile(lfCodeBuffer); } else { lfCodeBuffer += line + "\n"; function loadFile(lfVarx) { oomTest(function() {}); evaluate(lfVarx); } } } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341 #0 0x0000000000509928 in js::gc::TenuredCell::zone (this=<optimized out>) at js/src/gc/Heap.h:1341 #1 0x0000000000b8f9ed in CancelOffThreadIonCompileLocked (selector=..., discardLazyLinkList=discardLazyLinkList@entry=false, lock=...) at js/src/vm/HelperThreads.cpp:309 #2 0x0000000000b8fcb6 in js::GlobalHelperThreadState::waitForAllThreadsLocked (this=0x7ffff694e800, lock=...) at js/src/vm/HelperThreads.cpp:1043 #3 0x0000000000524003 in js::oom::SimulateOOMAfter (allocations=allocations@entry=1, thread=thread@entry=2, always=always@entry=false) at js/src/jsutil.cpp:74 #4 0x00000000008845d1 in OOMTest (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1598 [...] #8 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff4149000 140737288376320 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffc9a0 140737488341408 rsp 0x7fffffffc990 140737488341392 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffffffca70 140737488341616 r13 0x0 0 r14 0x7ffff694e800 140737330341888 r15 0x7ffff694e840 140737330341952 rip 0x509928 <js::gc::TenuredCell::zone() const+344> => 0x509928 <js::gc::TenuredCell::zone() const+344>: movl $0x0,0x0 0x509933 <js::gc::TenuredCell::zone() const+355>: ud2

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151013053056" and the hash "8d9c20c241be7d7b3cfa90a3368a77db42172781". The "bad" changeset has the timestamp "20151013054956" and the hash "d80f9d6921f8209ef01aa730be9a97ab727704d1". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=8d9c20c241be7d7b3cfa90a3368a77db42172781&tochange=d80f9d6921f8209ef01aa730be9a97ab727704d1

The --enable-oom-breakpoint, OOM_VERBOSE=1 and js_failedAllocBreakpoint trick didn't seem to work here, the failure seemed to happen on another thread: allocation 23 allocation 24 finished after 23 allocations thread 2 allocation 1 Assertion failure: CurrentThreadCanAccessZone(zone), at /home/gkwubu/trees/mozilla-central/js/src/gc/Heap.h:1341

The problem is we call zone() on an IonBuilder's script which may be owned by another runtime, and this asserts. I think it's safe to use zoneFromAnyThread() here since we expect to encounter objects that are owned by different runtimes. The script should be held alive by the IonBuilder.

Comment on attachment 8903537 [details] [diff] [review] bug1394505-cancel-compilation Review of attachment 8903537 [details] [diff] [review]: ----------------------------------------------------------------- Thanks!

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/f45bc632fdc8 Avoid triggering zone assertion when cancelling code generation for IonBuilders owned by a different runtime r=jandem

Is this worth backporting to Beta? Grafts cleanly if the answer is yes.

(In reply to Ryan VanderMeulen [:RyanVM] from comment #7) The patch just removes the assertion and doesn't affect release builds. I say let it ride the trains unless it's causing test failures.