The following testcase crashes on mozilla-central-oom (https://github.com/nbp/gecko-dev/tree/oom) revision 3af20e1a0618bbb2eb4d0f1c072da365558858a0 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager --ion-extra-checks --ion-check-range-analysis): oomAtAllocation(-3); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000491e90 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at ../../../dist/include/js/Utility.h:209 #0 0x0000000000491e90 in js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion (this=<optimized out>, __in_chrg=<optimized out>) at ../../../dist/include/js/Utility.h:209 #1 0x00000000008648f5 in ~DebugOnly (this=0x7fffffffd270, __in_chrg=<optimized out>) at ../../dist/include/mozilla/DebugOnly.h:82 #2 js::Nursery::collect (this=this@entry=0x7ffff693c460, rt=<optimized out>, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/gc/Nursery.cpp:429 #3 0x0000000000b3e6e5 in js::gc::GCRuntime::minorGCImpl (this=this@entry=0x7ffff693c408, reason=reason@entry=JS::gcreason::DESTROY_CONTEXT, pretenureGroups=pretenureGroups@entry=0x0) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6591 #4 0x0000000000b83259 in evictNursery (reason=JS::gcreason::DESTROY_CONTEXT, this=this@entry=0x7ffff693c408) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/gc/GCRuntime.h:611 #5 js::gc::GCRuntime::gcCycle (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6152 #6 0x0000000000b8389e in js::gc::GCRuntime::collect (this=this@entry=0x7ffff693c408, nonincrementalByAPI=nonincrementalByAPI@entry=true, budget=..., reason=reason@entry=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6352 #7 0x0000000000b83bf3 in js::gc::GCRuntime::gc (this=0x7ffff693c408, gckind=<optimized out>, reason=JS::gcreason::DESTROY_CONTEXT) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsgc.cpp:6417 #8 0x0000000000b847cc in js::DestroyContext (cx=0x7ffff6907400, mode=js::DCM_FORCE_GC) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jscntxt.cpp:186 #9 0x0000000000b849be in JS_DestroyContext (cx=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/jsapi.cpp:799 #10 0x0000000000477872 in DestroyContext (withGC=true, cx=0x7ffff6907400) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:5748 #11 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at /home/ownhero/homes/mozilla/repos/gecko-dev/js/src/shell/js.cpp:6588 rax 0x0 0 rbx 0x7ffff693c460 140737330267232 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffd0e0 140737488343264 rsp 0x7fffffffd0e0 140737488343264 r8 0x7ffff7fcc780 140737353926528 r9 0x736a2f6564756c63 8316511774416661603 r10 0x7fffffffcea0 140737488342688 r11 0x7ffff6c27ee0 140737333329632 r12 0x7ffff693c000 140737330266112 r13 0x7fffffffd420 140737488344096 r14 0x72b 1835 r15 0x3 3 rip 0x491e90 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+112> => 0x491e90 <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+112>: movl $0xd1,0x0 0x491e9b <js::AutoEnterOOMUnsafeRegion::~AutoEnterOOMUnsafeRegion()+123>: callq 0x4984d0 <abort()>

Not actually an OOM bug - just a missing check in OOMAtAllocation that the argument is nonnegative. It should just throw in that case, or do nothing. Should check other APIs in that file (TestingFunctions.cpp) too for similar issues.

https://hg.mozilla.org/integration/mozilla-inbound/rev/a13e919f927b216f911957da1fa70d95a2335f1f Bug 1212390 - fix lingering bugs around oomAtAllocation. r=jonco

https://hg.mozilla.org/integration/mozilla-inbound/rev/3188b162ee535793e8a7d8072937bec76f12475f Bug 1212390 - correct test case. r=jonco

https://hg.mozilla.org/mozilla-central/rev/a13e919f927b https://hg.mozilla.org/mozilla-central/rev/3188b162ee53