The following testcase crashes on mozilla-central revision 4e6df5159df3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): let moduleRepo = {}; setModuleResolveHook(function(module, specifier) { return moduleRepo[specifier]; }); var lfLogBuffer = ` let c = moduleRepo['c'] = parseModule("export * from 'a'; export * from 'b';"); try { c.declarationInstantiation(); } catch (exc) {} let d = moduleRepo['d'] = parseModule("import { a } from 'c'; a;"); d.declarationInstantiation(); `; loadFile(lfLogBuffer); function loadFile(lfVarx) { oomTest(function() { eval(lfVarx); }); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000c2dac0 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:409 #0 0x0000000000c2dac0 in intrinsic_AssertionFailed (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:409 #1 0x000000000055e631 in js::CallJSNative (cx=0x7ffff6948000, native=0xc2da00 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:291 #2 0x0000000000552dbf in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6948000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:472 #3 0x000000000055319d in InternalCall (cx=0x7ffff6948000, args=...) at js/src/vm/Interpreter.cpp:521 #4 0x00000000005532ca in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:527 #5 0x000000000063a283 in js::jit::DoCallFallback (cx=0x7ffff6948000, frame=0x7fffffffa058, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffff9fe8, res=...) at js/src/jit/BaselineIC.cpp:2539 #6 0x00000f986d0734cb in ?? () #7 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffff98a0 140737488328864 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffff98e0 140737488328928 rsp 0x7fffffff9880 140737488328832 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7ffff465ab60 140737293691744 r13 0xc2da00 12769792 r14 0x7fffffffa000 140737488330752 r15 0x1 1 rip 0xc2dac0 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+192> => 0xc2dac0 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+192>: movl $0x0,0x0 0xc2dacb <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+203>: ud2

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2e4748827cda user: Jon Coppeard date: Wed Aug 09 18:05:15 2017 +0100 summary: Bug 1374239 - Store and re-throw module instantiation and evaluation errors r=shu This iteration took 1.187 seconds to run.

Jon, is bug 1374239 a likely regressor?

JSBugMon: The testcase found in this bug no longer reproduces (tried revision 91cecf141b8b).

JSBugMon: Fix Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/7a1ca2738093 user: Jon Coppeard date: Wed Dec 06 14:54:58 2017 +0000 summary: Bug 1420420 - Update module implementation to match latest spec regarding handling of instantiation errors r=anba r=baku r=jgraham This iteration took 281.836 seconds to run.

Handling of instantiation errors has been updated in bug 1420420 and this no longer reproduces.

Since the bug fixing this is known, resolving -> FIXED