The following testcase crashes on mozilla-central revision e1576dd8bd9d (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

var lfLogBuffer = `
(function(global) {
  global.BUGNUMBER = "";
var BUGNUMBER = 452498;
var appendToActual = function(s) {}
function tryItOut(code) {
    d = f = Function(code)
tryItOut("assertEq('bar', String.raw\`bar\`);")
lfLogBuffer = lfLogBuffer.split('\n');
var lfCodeBuffer = "";
while (true) {
    var line = lfLogBuffer.shift();
    if (line == null) {
    } else if (line == "//corefuzz-dcd-endofdata") {
    } else {
        lfCodeBuffer += line + "\n";
if (lfCodeBuffer) loadFile(lfCodeBuffer);
function loadFile(lfVarx) {
      oomTest(function() {


 received signal SIGSEGV, Segmentation fault.
0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#0  0x0000000000953578 in JSCompartment::getTemplateLiteralObject (this=0x7ffff692b000, cx=0x7ffff6948000, rawStrings=..., templateObj=...) at js/src/jscompartment.cpp:642
#1  0x0000000000530f7d in Interpret (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:3193
#2  0x0000000000538a12 in js::RunScript (cx=0x7ffff6948000, state=...) at js/src/vm/Interpreter.cpp:394
#3  0x000000000053b581 in js::ExecuteKernel (cx=cx@entry=0x7ffff6948000, script=..., script@entry=..., envChainArg=..., newTargetValue=..., evalInFrame=..., evalInFrame@entry=..., result=result@entry=0x7fffffffb090) at js/src/vm/Interpreter.cpp:677
#4  0x0000000000570ac6 in EvalKernel (cx=cx@entry=0x7ffff6948000, v=..., v@entry=..., evalType=evalType@entry=DIRECT_EVAL, caller=..., env=env@entry=..., pc=<optimized out>, vp=...) at js/src/builtin/Eval.cpp:328
#5  0x000000000057100d in js::DirectEval (cx=cx@entry=0x7ffff6948000, v=..., vp=vp@entry=...) at js/src/builtin/Eval.cpp:438
#6  0x000000000060e200 in js::jit::DoCallFallback (cx=0x7ffff6948000, frame=0x7fffffffb128, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffb0d8, res=...) at js/src/jit/BaselineIC.cpp:2332
#7  0x000009654b9892e4 in ?? ()
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
user:        Shu-yu Guo
date:        Wed Mar 08 12:00:54 2017 -0800
summary:     Bug 1108941 - Implement the per-global template literal registry. (r=arai,jonco)

This seems like a fragile testcase, setting needinfo? from Shu-yu as per comment 1 as a start.
The bug is that defining the property may fail, causing the invariant that all
template objects in the cache are frozen. Teaches me to be clever...
(In reply to Shu-yu Guo [:shu] from comment #4)
Oh, and please add check in the testcase too if possible.
(In reply to Jon Coppeard (:jonco) from comment #5)
> (In reply to Shu-yu Guo [:shu] from comment #4)
> Oh, and please add check in the testcase too if possible.

Unfortunately I couldn't figure out a reliable test case since it depends on OOM.
Pushed by
Add template objects to the registry after freezing. (r=jonco)
