The following traces we're taken from mozilla-central revision 7130e5134a6e: Program received signal SIGSEGV, Segmentation fault. js::types::TypeObject::addProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), pprop=0xf7469418) at js/src/jsinfer.cpp:3691 3691 if (singleton && singleton->isNative()) { #0 js::types::TypeObject::addProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), pprop=0xf7469418) at js/src/jsinfer.cpp:3691 #1 0x0813638f in js::types::TypeObject::getProperty (this=0xf7469400, cx=0x9366458, id=$jsid(0x0), own=false) at ../jsinferinlines.h:1663 #2 0x08137c40 in js::types::StackTypeSet::hasObjectFlags (this=0x93f9640, cx=0x9366458, flags=4194304) at js/src/jsinfer.cpp:1922 #3 0x0870a289 in MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:197 #4 MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:1426 #5 js::ion::MCompare::infer (this=0x9500d88, cx=0x9366458, inspector=0xffffb61c, pc=0x93f7535 "\022\005T") at js/src/ion/MIR.cpp:1430 #6 0x084d277c in js::ion::IonBuilder::jsop_compare (this=0xffffb660, op=JSOP_EQ) at js/src/ion/IonBuilder.cpp:5049 #7 0x084ea239 in js::ion::IonBuilder::inspectOpcode (this=0xffffb660, op=JSOP_EQ) at js/src/ion/IonBuilder.cpp:1158 [...] The last hit to js_ReportOutOfMemory was this: Breakpoint 1, js_ReportOutOfMemory (cx=0x9366458) at js/src/jscntxt.cpp:500 500 { #0 js_ReportOutOfMemory (cx=0x9366458) at js/src/jscntxt.cpp:500 #1 0x081303cd in setPendingNukeTypes (cx=0x9366458, this=<optimized out>) at js/src/jsinfer.cpp:2865 #2 JSObject::makeLazyType (cx=0x9366458, obj=(JSObject * const) 0xf74350b0 [object JSON]) at js/src/jsinfer.cpp:6191 #3 0x08137d4e in getType (cx=0x9366458, this=<optimized out>) at ../jsobjinlines.h:774 #4 js::types::StackTypeSet::hasObjectFlags (this=0x93f9640, cx=0x9366458, flags=4194304) at js/src/jsinfer.cpp:1912 #5 0x0870a289 in MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:197 #6 MaybeEmulatesUndefined (op=0x9452fb0, cx=0x9366458) at js/src/ion/MIR.cpp:1426 #7 js::ion::MCompare::infer (this=0x9500d88, cx=0x9366458, inspector=0xffffb61c, pc=0x93f7535 "\022\005T") at js/src/ion/MIR.cpp:1430 [...] This keeps triggering all the time, it's just hard to come up with a small test. Filing this so we have a signature on file and maybe the backtrace is already enough to see where the missing OOM check needs to be added. Ccing bhackett since it seems to be related to TI.

I explicitly attached a very broad signature because I'm seeing a lot of different crashes that all go through addProperty/getProperty, crash at 0x1 and are OOM errors. Separating them with different signatures would probably take too much time and I think the risk of another (non-OOM) bug hitting this signature is very low. Hopefully it's also just one fix for all of these :D

This is still one of the top OOM crashers for me, so I took a closer look again. The problem is that an OOM path in JSObject::makeLazyType returns 0x1 on OOM, leading to singleton being 0x1. This case however isn't handled by any of the callers. Jandem suggested to return NULL instead, which solved my crash problem and seems to pass jit-tests. Brian, can you check if this is the right thing to do? :)

Also note that the stacks in comment 0 are probably no longer accurate. Instead I'm seeing these now: Program received signal SIGSEGV, Segmentation fault. js::types::TypeObject::addProperty (this=0x7ffff624d350, cx=0x13f8630, id=<optimized out>, pprop=0x7ffff624d378) at js/src/jsinfer.cpp:2309 2309 if (singleton && singleton->isNative()) { (gdb) bt #0 js::types::TypeObject::addProperty (this=0x7ffff624d350, cx=0x13f8630, id=<optimized out>, pprop=0x7ffff624d378) at js/src/jsinfer.cpp:2309 #1 0x00000000005a3b49 in js::types::TypeObject::getProperty (this=0x7ffff624d350, cx=0x13f8630, id=140737323880960, own=true) at /srv/repos/mozilla-central/js/src/jsinferinlines.h:1503 #2 0x0000000000672f93 in EnsureTrackPropertyTypes (id=<optimized out>, obj=0x7ffff627da80, cx=0x13f8630) at ../jsinferinlines.h:555 #3 js::jit::ICUpdatedStub::addUpdateStubForValue (this=0x142a888, cx=0x13f8630, script=..., obj=..., id=..., val=...) at js/src/jit/BaselineIC.cpp:1355 #4 0x0000000000676c02 in TryAttachSetPropStub (attached=<synthetic pointer>, rhs=..., id=..., name=..., oldSlots=8, oldShape=..., obj=..., stub=0x15d63e8, pc=<optimized out>, script=..., cx=<optimized out>) at js/src/jit/BaselineIC.cpp:6706 #5 js::jit::DoSetPropFallback (cx=<optimized out>, frame=<optimized out>, stub=0x15d63e8, lhs=..., rhs=..., res=...) at /srv/repos/mozilla-central/js/src/jit/BaselineIC.cpp:6831 #6 0x00007ffff7f96bde in ?? () #7 0x0000000000000000 in ?? () (gdb) The reason for failure appears to be the same though.