The following testcase crashes on mozilla-central revision ec3ef9f77a52 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion): See attachment. Backtrace: #0 js::ActivationIterator::ActivationIterator (this=0x7ffe4670dcc0, cx=0x7f0c06b4b000, target=...) at js/src/vm/Stack.cpp:1730 #1 0x000000000069a9fb in js::jit::JitActivationIterator::JitActivationIterator (target=..., cx=<optimized out>, this=0x7ffe4670dcc0) at js/src/vm/Stack.h:1645 #2 js::jit::InvalidateAll (fop=fop@entry=0x7f0c06b271d0, zone=zone@entry=0x7f0c05c31000) at js/src/jit/Ion.cpp:3208 #3 0x0000000000de9ebb in JS::Zone::discardJitCode (this=0x7f0c05c31000, fop=0x7f0c06b271d0, discardBaselineCode=discardBaselineCode@entry=false) at js/src/gc/Zone.cpp:235 #4 0x0000000000c18a2a in js::AutoClearTypeInferenceStateOnOOM::~AutoClearTypeInferenceStateOnOOM (this=0x7ffe4670de88, __in_chrg=<optimized out>) at js/src/vm/TypeInference.cpp:4603 /snip For detailed crash information, see attachment. This testcase when reduced seems fragile, so filing this while it is fairly reproducible.
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/fe2fedb64403 user: Brian Hackett date: Thu Feb 09 05:41:31 2017 -0700 summary: Bug 1335095 - Allow cooperating JSContexts to iterate over each others' activations, r=jandem. Brian, is bug 1335095 a likely regressor?
JSBugMon: Cannot process bug: Error: Failed to isolate test from comment
Created attachment 8839116 [details] [diff] [review] patch
Assignee: nobody → bhackett1024
Attachment #8839116 - Flags: review?(jdemooij)
Attachment #8839116 - Flags: review?(jdemooij) → review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/3ebbc022b8f6 Prohibit context switches while handling OOM during type inference operations, r=jandem.
Probably the same as bug 1341283 but that bug has a simple test case.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
status-firefox54: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
You need to log in before you can comment on or make changes to this bug.