The following testcase crashes on mozilla-central revision f88ebf2720c8 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off --enable-streams --spectre-mitigations=off --ion-warmup-threshold=100 --arm-sim-icache-checks --ion-extra-checks --ion-eager --no-wasm-ion --baseline-eager --no-native-regexp): evalInWorker(` oomTest(function() { lfOOM = true; }); `); evalInWorker(` oomTest(function() { lfOOM = true; }); `); Backtrace: received signal SIGSEGV, Segmentation fault. #0 0x5674c199 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xed7fd910) at dist/include/js/Utility.h:359 #1 0x569a1efb in js::LifoAlloc::allocInfallible (this=0xf6eb8ca0, n=12) at js/src/ds/LifoAlloc.h:684 #2 0x56b48c43 in js::jit::TempAllocator::allocateInfallible (bytes=12, this=<optimized out>) at js/src/jit/JitAllocPolicy.h:45 #3 js::jit::TempObject::operator new (alloc=..., nbytes=12) at js/src/jit/JitAllocPolicy.h:170 #4 js::jit::IonBuilder::bytecodeSite (this=0xedb521c0, pc=0xf6eb8b34 <incomplete sequence \326>) at js/src/jit/IonBuilder.h:986 #5 0x56aefa91 in js::jit::IonBuilder::newBlock (this=0xedb521c0, stackDepth=3, pc=0xf6eb8b34 <incomplete sequence \326>, maybePredecessor=0x0) at js/src/jit/IonBuilder.cpp:6975 #6 0x56b3dd10 in js::jit::IonBuilder::build (this=0xedb521c0) at js/src/jit/IonBuilder.cpp:788 #7 0x56ada248 in js::jit::IonCompile (cx=<optimized out>, cx@entry=0xf6e2f000, script=<optimized out>, baselineFrame=baselineFrame@entry=0xed7fdc98, osrPc=0x0, recompile=false, optimizationLevel=js::jit::OptimizationLevel::Normal) at js/src/jit/Ion.cpp:2137 #8 0x56adb20a in js::jit::Compile (cx=cx@entry=0xf6e2f000, script=..., script@entry=..., osrFrame=osrFrame@entry=0xed7fdc98, osrPc=<optimized out>, forceRecompile=<optimized out>) at js/src/jit/Ion.cpp:2439 #9 0x56adbbc2 in BaselineCanEnterAtEntry (frame=0xed7fdc98, script=..., cx=0xf6e2f000) at js/src/jit/Ion.cpp:2564 #10 js::jit::IonCompileScriptForBaseline (cx=<optimized out>, frame=0xed7fdc98, pc=0xf6eb8b34 <incomplete sequence \326>) at js/src/jit/Ion.cpp:2697 #11 0xee26e0c2 in ?? () #12 0xee260b85 in ?? () #13 0x56b6776f in EnterJit (cx=0x1443, cx@entry=0xf6e2f000, state=..., code=0xee2b0ea0 "\351\033") at js/src/jit/Jit.cpp:105 #14 0x56b6807f in js::jit::MaybeEnterJit (cx=0xf6e2f000, state=...) at js/src/jit/Jit.cpp:170 #15 0x56883a9a in js::RunScript (cx=0xf6e2f000, state=...) at js/src/vm/Interpreter.cpp:432 #16 0x568841cc in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:587 #17 0x568846c0 in InternalCall (cx=cx@entry=0xf6e2f000, args=...) at js/src/vm/Interpreter.cpp:614 #18 0x5688487a in js::Call (cx=0xf6e2f000, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:633 #19 0x56d96567 in JS_CallFunction (cx=<optimized out>, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2936 #20 0x56b974c6 in RunIterativeFailureTest (cx=<optimized out>, params=..., simulator=...) at js/src/builtin/TestingFunctions.cpp:1915 #21 0x56b97e2a in OOMTest (cx=0xf6e2f000, argc=1, vp=0xed7fe858) at js/src/builtin/TestingFunctions.cpp:2101 #22 0x5689151a in CallJSNative (cx=0xf6e2f000, native=0x56b97d70 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:468 #23 0x5688411d in js::InternalCallOrConstruct (cx=<optimized out>, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:560 #24 0x568846c0 in InternalCall (cx=cx@entry=0xf6e2f000, args=...) at js/src/vm/Interpreter.cpp:614 #25 0x5688483f in js::CallFromStack (cx=0xf6e2f000, args=...) at js/src/vm/Interpreter.cpp:620 #26 0x56a211d4 in js::jit::DoCallFallback (cx=<optimized out>, frame=0xed7fe898, stub_=0xedb27040, argc=1, vp=0xed7fe858, res=...) at js/src/jit/BaselineIC.cpp:3685 #27 0xee26aeda in ?? () #28 0xedb27040 in ?? () #29 0xee260b85 in ?? () eax 0x0 0 ebx 0x578beff4 1468788724 ecx 0xf7d90864 -136771484 edx 0x0 0 esi 0xed7fd910 -310388464 edi 0x578c0ac8 1468795592 ebp 0xed7fd8e8 3984578792 esp 0xed7fd8c0 3984578752 eip 0x5674c199 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+233> => 0x5674c199 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+233>: movl $0x0,0x0 0x5674c1a3 <js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion()+243>: ud2 I'm seeing this crash with various stacks right before the AutoEnterOOMUnsafeRegion (lifoAlloc, GC, irregexp, etc). Are these likely all the same bug? Also, this testcase is racy, you might have to run it several times to reproduce. This is causing lots of crashes, marking as fuzzblocker.

Setting needinfo? from Iain as a start. This testcase is likely racy as per comment 0, so comment 1 likely isn't correct.

It looks like this was fixed in bug 1501229. The failure is a race condition in which two threads attempt to enter an OOMUnsafeRegion at the same time. That shouldn't happen, because worker threads shouldn't be doing {oom,stack,interrupt}tests. With the failing revision, this testcase runs to completion and occasionally segfaults. With the fix from bug 1501229, we get two warnings ("<string>:2:3 Error: Simulated OOM failure is only supported on the main thread") and avoid the problem. Closing as duplicate.