The following testcase crashes on mozilla-central revision 3ecda4678c49 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --thread-count=2 --baseline-eager --ion-offthread-compile=off --ion-check-range-analysis): See attachment. Backtrace: received signal SIGSEGV, Segmentation fault. js::jit::ScriptFromCalleeToken (token=0xfffe7ffff2166fa0) at js/src/jit/JitFrames.h:86 #0 js::jit::ScriptFromCalleeToken (token=0xfffe7ffff2166fa0) at js/src/jit/JitFrames.h:86 #1 js::jit::JSJitFrameIter::script (this=0x7fffffff8280) at js/src/jit/JSJitFrameIter.cpp:110 #2 0x00000000006ba71d in InvalidateActivation (fop=fop@entry=0x7ffff694a080, activations=..., invalidateAll=invalidateAll@entry=true) at js/src/jit/Ion.cpp:2998 #3 0x00000000006bb503 in js::jit::InvalidateAll (fop=fop@entry=0x7ffff694a080, zone=zone@entry=0x7ffff4f6a000) at js/src/jit/Ion.cpp:3130 #4 0x0000000000e64b3b in JS::Zone::discardJitCode (this=0x7ffff4f6a000, fop=0x7ffff694a080, discardBaselineCode=discardBaselineCode@entry=false) at js/src/gc/Zone.cpp:207 #5 0x0000000000c8ea7f in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7fffffff84e0, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4622 #6 0x0000000000cdf5e1 in mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::reset (this=0x7fffffff84e0) at dist/include/mozilla/Maybe.h:446 #7 0x0000000000c8ef5a in mozilla::Maybe<js::AutoClearTypeInferenceStateOnOOM>::~Maybe (this=0x7fffffff84e0, __in_chrg=<optimized out>) at dist/include/mozilla/Maybe.h:100 #8 js::ObjectGroup::sweep (this=this@entry=0x7ffff528d280, oom=0x7fffffff84e0, oom@entry=0x0) at js/src/vm/TypeInference.cpp:4396 #9 0x000000000050b103 in js::ObjectGroup::maybeSweep (oom=0x0, this=0x7ffff528d280) at js/src/vm/ObjectGroup-inl.h:26 #10 js::ObjectGroup::flags (this=0x7ffff528d280) at js/src/vm/ObjectGroup-inl.h:32 #11 js::ObjectGroup::unknownProperties (this=0x7ffff528d280) at js/src/vm/ObjectGroup-inl.h:67 #12 0x000000000050b633 in js::TrackPropertyTypes (obj=obj@entry=0x7ffff5290060, id=..., id@entry=...) at js/src/vm/TypeInference-inl.h:372 #13 0x000000000086b329 in js::HasTypePropertyId (type=..., id=..., obj=0x7ffff5290060) at js/src/vm/TypeInference-inl.h:429 #14 js::HasTypePropertyId (value=..., id=..., obj=0x7ffff5290060) at js/src/vm/TypeInference-inl.h:438 #15 js::jit::SetNativeDataProperty<true> (cx=<optimized out>, obj=<optimized out>, name=<optimized out>, val=0x7fffffff8640) at js/src/jit/VMFunctions.cpp:1710 #16 0x0000089a5c1fcd64 in ?? () [...] #33 0x0000000000000000 in ?? () rax 0xfffe7ffff2166fa0 -422212698476640 rbx 0x7fffffff8280 140737488323200 rcx 0x20 32 rdx 0x0 0 rsi 0xf 15 rdi 0x7fffffff8280 140737488323200 rbp 0x7fffffff81f0 140737488323056 rsp 0x7fffffff81f0 140737488323056 r8 0x0 0 r9 0x7ffff4ee4130 140737302642992 r10 0x17 23 r11 0x7ffff699b108 140737330655496 r12 0x2 2 r13 0x113a172 18063730 r14 0x7ffff694a080 140737330323584 r15 0x11ebf34 18792244 rip 0x73c858 <js::jit::JSJitFrameIter::script() const+56> => 0x73c858 <js::jit::JSJitFrameIter::script() const+56>: testb $0x1,0x22(%rax) 0x73c85c <js::jit::JSJitFrameIter::script() const+60>: je 0x73c930 <js::jit::JSJitFrameIter::script() const+272> The testcase is intermittent, so a bisection might be complicated, but similar crashes I could never reproduce. So this is a good opportunity to squash an annoying OOM bug. Marking s-s due to non-null crash and since this seems to have to do with JIT.

JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.

Jan please take a look and evaluate both sec and stability risk.

This is the bug I'm fixing in bug 1384121.