The following testcase crashes on mozilla-central revision 0be4463d2915 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-eager --ion-offthread-compile=off): assertEq = function(a) { a.toString(); } var g = newGlobal({ sameCompartmentAs: this }); g.evaluate("function Obj() {}"); assertEq(assertEq(new g.Obj())); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000d19490 in js::TypeNewScript::maybeAnalyze (this=0x7ffff5fad100, cx=<optimized out>, group=<optimized out>, group@entry=0x7ffff4dbc0d0, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3853 #0 0x0000000000d19490 in js::TypeNewScript::maybeAnalyze (this=0x7ffff5fad100, cx=<optimized out>, group=<optimized out>, group@entry=0x7ffff4dbc0d0, regenerate=regenerate@entry=0x0, force=force@entry=true) at js/src/vm/TypeInference.cpp:3853 #1 0x00000000007eaecb in js::jit::IonCompile (cx=<optimized out>, cx@entry=0x7ffff5f17000, script=<optimized out>, baselineFrame=baselineFrame@entry=0x7fffffffbd18, osrPc=osrPc@entry=0x0, recompile=<optimized out>, optimizationLevel=<optimized out>) at js/src/jit/Ion.cpp:2108 #2 0x00000000007eb366 in js::jit::Compile (cx=cx@entry=0x7ffff5f17000, script=script@entry=..., osrFrame=osrFrame@entry=0x7fffffffbd18, osrPc=osrPc@entry=0x0, forceRecompile=forceRecompile@entry=false) at js/src/jit/Ion.cpp:2375 #3 0x00000000007ebbc2 in BaselineCanEnterAtEntry (frame=0x7fffffffbd18, script=..., cx=0x7ffff5f17000) at js/src/jit/Ion.cpp:2491 #4 js::jit::IonCompileScriptForBaseline (cx=<optimized out>, frame=0x7fffffffbd18, pc=<optimized out>) at js/src/jit/Ion.cpp:2613 #5 0x0000035a4cca08b2 in ?? () #6 0x2000000000000000 in ?? () #7 0x00007fffffffbce8 in ?? () #8 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff5fad100 140737320243456 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb9b0 140737488337328 rsp 0x7fffffffb7b0 140737488336816 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x1 1 r13 0x7ffff5fad100 140737320243456 r14 0x7fffffffb830 140737488336944 r15 0x7ffff4dbc0d0 140737301430480 rip 0xd19490 <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2000> => 0xd19490 <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2000>: movl $0x0,0x0 0xd1949b <js::TypeNewScript::maybeAnalyze(JSContext*, js::ObjectGroup*, bool*, bool)+2011>: ud2

Same-compartment-realms issue. Should be easy to fix, I'll get to it soonish.

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ca6490693cad user: Jan de Mooij date: Tue Jun 26 09:42:06 2018 +0200 summary: Bug 1470250 part 5 - Use AutoRealm when calling natives or resolve hooks. r=luke This iteration took 291.500 seconds to run.

Comment on attachment 9001556 [details] [diff] [review] Make sure TypeNewScript::maybeAnalyze is called in the group's realm Review of attachment 9001556 [details] [diff] [review]: ----------------------------------------------------------------- (Sorry for the delay; back from PTO)

Pushed by jandemooij@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8695f16b39ed Make sure TypeNewScript::maybeAnalyze is called in the group's realm. r=luke

(In reply to Luke Wagner [:luke] from comment #4) > (Sorry for the delay; back from PTO) No problem, not urgent at all.