The following testcase crashes on mozilla-central revision 5b33b070378a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): oomTest( function() { eval(` function f(stdlib, foreign, buffer) { "use asm"; var i32 = new stdlib.Int32Array(buffer); function set(v) { v=v|0; i32[5] = v; } return set; } `); } ); Backtrace: received signal SIGSEGV, Segmentation fault. [Switching to Thread 0x7ffff54fa700 (LWP 20074)] js::jit::MNode::setBlockAndKind (this=0x0, kind=js::jit::MNode::Kind::Definition, block=0x7ffff5fa1038) at js/src/jit/MIR.h:328 #0 js::jit::MNode::setBlockAndKind (this=0x0, kind=js::jit::MNode::Kind::Definition, block=0x7ffff5fa1038) at js/src/jit/MIR.h:328 #1 js::jit::MDefinition::setBlock (block=0x7ffff5fa1038, this=0x0) at js/src/jit/MIR.h:544 #2 js::jit::MBasicBlock::add (this=0x7ffff5fa1038, ins=ins@entry=0x0) at js/src/jit/MIRGraph.h:1123 #3 0x0000000000db152d in (anonymous namespace)::FunctionCompiler::store (this=this@entry=0x7ffff54f7f30, base=0x7ffff5fa12a0, access=access@entry=0x7ffff54f6ed0, v=0x7ffff5fa11a0) at js/src/wasm/WasmIonCompile.cpp:900 #4 0x000000000043a162 in EmitTeeStore (f=..., resultType=resultType@entry=js::wasm::ValType::I32, viewType=viewType@entry=js::Scalar::Int32) at js/src/wasm/WasmIonCompile.cpp:2642 #5 0x0000000000dd751f in EmitBodyExprs (f=...) at js/src/wasm/WasmIonCompile.cpp:4140 #6 js::wasm::IonCompileFunctions (env=..., lifo=..., inputs=..., code=code@entry=0x7ffff5f91690, error=error@entry=0x7ffff54f8ee0) at js/src/wasm/WasmIonCompile.cpp:4344 #7 0x0000000000ddb105 in ExecuteCompileTask (task=0x7ffff5f91410, error=error@entry=0x7ffff54f8ee0) at js/src/wasm/WasmGenerator.cpp:622 #8 0x0000000000ddebd7 in js::wasm::ExecuteCompileTaskFromHelperThread (task=task@entry=0x7ffff5f91410) at js/src/wasm/WasmGenerator.cpp:644 [...] #15 0x00007ffff6c383dd in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:109 rax 0x0 0 rbx 0x7ffff5fa1038 140737320194104 rcx 0x0 0 rdx 0x0 0 rsi 0x0 0 rdi 0x7ffff5fa12a0 140737320194720 rbp 0x7ffff54f6e40 140737309011520 rsp 0x7ffff54f6e20 140737309011488 r8 0xfc58 64600 r9 0x0 0 r10 0x0 0 r11 0x0 0 r12 0x0 0 r13 0x7ffff5fa1060 140737320194144 r14 0x4 4 r15 0x7ffff54f7150 140737309012304 rip 0x736ab3 <js::jit::MBasicBlock::add(js::jit::MInstruction*)+67> => 0x736ab3 <js::jit::MBasicBlock::add(js::jit::MInstruction*)+67>: mov %rbx,0x8(%r12) 0x736ab8 <js::jit::MBasicBlock::add(js::jit::MInstruction*)+72>: jne 0x736b60 <js::jit::MBasicBlock::add(js::jit::MInstruction*)+240> There is something interesting (but unrelated to the crash) about this testcase: The reducer removed the "}" after the return in the test and it still crashes. I think there is something wrong with our parser here too because that should raise a syntax error, shouldn't it ?

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/cc6c341c68f8 user: Lars T Hansen date: Mon Jul 03 17:20:01 2017 -0700 summary: Bug 1377576 - Ion support for wasm atomics. r=bbouvier This iteration took 285.463 seconds to run.

Lars, is bug 1377576 a likely regressor?

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Lars, is bug 1377576 a likely regressor? No, but I can investigate a little.

I take that back, this is definitely caused by that patch. I misinterpreted the meaning of some guards and removed them, but I should not have. Will fix today.

Comment on attachment 8933258 [details] Bug 1421565 - Propagate allocation failure. https://reviewboard.mozilla.org/r/204198/#review209752 Thanks! Can you add tests too, please?

Pushed by lhansen@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6c3f4eec727a Propagate allocation failure. r=bbouvier