The following testcase crashes on mozilla-central revision 8fb36531f7d0 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): oomTest(function() { grayRoot().x = Object.create((obj[name]++)); }); oomTest(function() { gczeal(9); gcslice(new.target); }); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000ef6e85 in js::gc::GCRuntime::groupZonesForSweeping (this=this@entry=0x7ffff5f19700, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:5011 #0 0x0000000000ef6e85 in js::gc::GCRuntime::groupZonesForSweeping (this=this@entry=0x7ffff5f19700, reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:5011 #1 0x0000000000f0bbaa in js::gc::GCRuntime::beginSweepPhase (this=this@entry=0x7ffff5f19700, reason=reason@entry=JS::gcreason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:5856 #2 0x0000000000f11566 in js::gc::GCRuntime::incrementalCollectSlice (this=this@entry=0x7ffff5f19700, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC, session=...) at js/src/gc/GC.cpp:7142 #3 0x0000000000f12910 in js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff5f19700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7476 #4 0x0000000000f12fa5 in js::gc::GCRuntime::collect (this=this@entry=0x7ffff5f19700, nonincrementalByAPI=nonincrementalByAPI@entry=false, budget=..., reason=reason@entry=JS::gcreason::DEBUG_GC) at js/src/gc/GC.cpp:7620 #5 0x0000000000f148b5 in js::gc::GCRuntime::startDebugGC (this=0x7ffff5f19700, gckind=gckind@entry=GC_NORMAL, budget=...) at js/src/gc/GC.cpp:7759 #6 0x00000000008b2c12 in GCSlice (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1150 #7 0x00000000005b4b1e in js::CallJSNative (cx=0x7ffff5f17000, native=0x8b2a90 <GCSlice(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280 #8 0x00000000005a9a3f in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #9 0x00000000005a9e1d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516 #10 0x000000000059d517 in js::CallFromStack (args=..., cx=<optimized out>) at js/src/vm/Interpreter.cpp:522 #11 Interpret (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:3086 #12 0x00000000005a94fd in js::RunScript (cx=0x7ffff5f17000, state=...) at js/src/vm/Interpreter.cpp:417 #13 0x00000000005a9b07 in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f17000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:489 #14 0x00000000005a9e1d in InternalCall (cx=0x7ffff5f17000, args=...) at js/src/vm/Interpreter.cpp:516 #15 0x00000000005a9fa0 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #16 0x0000000000a4fd21 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., fun@entry=..., args=..., rval=..., rval@entry=...) at js/src/jsapi.cpp:2948 #17 0x00000000008cd5a3 in OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1787 #18 0x00000000005b4b1e in js::CallJSNative (cx=0x7ffff5f17000, native=0x8cd1b0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:280 [...] #32 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9326 rax 0x0 0 rbx 0x7ffff5f1aa10 140737319643664 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb8d0 140737488337104 rsp 0x7fffffffb7a0 140737488336800 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff5f19700 140737319638784 r13 0x7fffffffb7f0 140737488336880 r14 0x7fffffffb920 140737488337184 r15 0x7 7 rip 0xef6e85 <js::gc::GCRuntime::groupZonesForSweeping(JS::gcreason::Reason)+1557> => 0xef6e85 <js::gc::GCRuntime::groupZonesForSweeping(JS::gcreason::Reason)+1557>: movl $0x0,0x0 0xef6e90 <js::gc::GCRuntime::groupZonesForSweeping(JS::gcreason::Reason)+1568>: ud2 Marking s-s for now due to GC involved.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/de5cfd97ac49 user: Jon Coppeard date: Tue Apr 17 08:44:56 2018 +0200 summary: Bug 1453028 - Add a new sweep action to yield in a specified zeal mode r=sfink This iteration took 1.406 seconds to run.

The problem here is that isIncremental can be set to false after we've set useZeal if we hit OOM when buffering gray roots. This makes incremental zeal GCs non-incremental. We just need to to take account of this possibility. Not s-s because it only requires GC zeal which is debug-only.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/fb45edcf3d46 Gray buffering failure can make zeal GCs non-incremental r=sfink