The following testcase crashes on mozilla-central revision b6acf4d4fc20 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2): evaluate(` function ERROR(msg) { throw new Error("Test262 error: " + msg); } for (var i = 0; i < 9; ++ i) { var dbg = new Debugger; dbg.onNewGlobalObject = ERROR; } oomTest(function() { newGlobal(); }) `); Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000526848 in js::CheckForInterrupt (cx=<optimized out>) at js/src/jscntxt.h:666 #0 0x0000000000526848 in js::CheckForInterrupt (cx=<optimized out>) at js/src/jscntxt.h:666 #1 0x0000000000aa9c53 in Interpret (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:1898 #2 0x0000000000ab8828 in js::RunScript (cx=cx@entry=0x7ffff6907800, state=...) at js/src/vm/Interpreter.cpp:428 #3 0x0000000000ab8b6d in js::Invoke (cx=cx@entry=0x7ffff6907800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:496 #4 0x0000000000ab962c in js::Invoke (cx=cx@entry=0x7ffff6907800, thisv=..., fval=..., argc=argc@entry=0, argv=argv@entry=0x0, rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:530 #5 0x0000000000934207 in MaybeCallMethod (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., id=..., id@entry=..., vp=vp@entry=...) at js/src/jsobj.cpp:2953 #6 0x0000000000935abf in JS::OrdinaryToPrimitive (cx=cx@entry=0x7ffff6907800, obj=obj@entry=..., hint=hint@entry=JSTYPE_STRING, vp=..., vp@entry=...) at js/src/jsobj.cpp:2999 #7 0x000000000093f6c8 in js::ToPrimitiveSlow (cx=cx@entry=0x7ffff6907800, preferredType=preferredType@entry=JSTYPE_STRING, vp=..., vp@entry=...) at js/src/jsobj.cpp:3083 #8 0x0000000000994521 in ToPrimitive (vp=..., preferredType=JSTYPE_STRING, cx=0x7ffff6907800) at js/src/jsobj.h:1030 #9 js::ToStringSlow<(js::AllowGC)1> (cx=0x7ffff6907800, arg=...) at js/src/jsstr.cpp:4456 #10 0x00000000008fd352 in js::ErrorReport::init (this=this@entry=0x7fffffff9f70, cx=cx@entry=0x7ffff6907800, exn=exn@entry=...) at js/src/jsexn.cpp:817 #11 0x00000000008fdc56 in js::ReportUncaughtException (cx=cx@entry=0x7ffff6907800) at js/src/jsexn.cpp:691 #12 0x00000000008b2310 in JS_ReportPendingException (cx=cx@entry=0x7ffff6907800) at js/src/jsapi.cpp:5687 #13 0x00000000008e05b8 in js::PrepareScriptEnvironmentAndInvoke (cx=cx@entry=0x7ffff6907800, scope=..., closure=...) at js/src/jsfriendapi.cpp:1195 #14 0x00000000009dc77c in js::Debugger::handleUncaughtExceptionHelper (this=this@entry=0x7ffff694d800, ac=..., vp=vp@entry=0x7fffffffa270, callHook=callHook@entry=true, thisVForCheck=..., frame=..., frame@entry=...) at js/src/vm/Debugger.cpp:1188 #15 0x00000000009f6684 in handleUncaughtException (frame=..., thisVForCheck=..., callHook=true, vp=..., ac=..., this=0x7ffff694d800) at js/src/vm/Debugger.cpp:1206 #16 js::Debugger::fireNewGlobalObject (this=this@entry=0x7ffff694d800, cx=cx@entry=0x7ffff6907800, global=..., global@entry=..., vp=..., vp@entry=...) at js/src/vm/Debugger.cpp:1870 #17 0x00000000009f6a3f in js::Debugger::slowPathOnNewGlobalObject (cx=0x7ffff6907800, cx@entry=0x7fffffffa490, global=global@entry=...) at js/src/vm/Debugger.cpp:1919 #18 0x00000000008ad4a5 in onNewGlobalObject (global=..., cx=0x7fffffffa490) at js/src/vm/Debugger.h:1110 #19 JS_FireOnNewGlobalObject (cx=cx@entry=0x7ffff6907800, global=..., global@entry=...) at js/src/jsapi.cpp:1919 #20 0x000000000049b155 in NewGlobalObject (cx=cx@entry=0x7ffff6907800, options=..., principals=principals@entry=0x0) at js/src/shell/js.cpp:6444 #21 0x000000000049b265 in NewGlobal (cx=0x7ffff6907800, argc=<optimized out>, vp=0x7fffffffa738) at js/src/shell/js.cpp:4232 #22 0x00007ffff7fd15bd in ?? () #23 0x00007ffff456ca10 in ?? () #24 0x00007fffffffa710 in ?? () #25 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6907800 140737330051072 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffff9380 140737488327552 rsp 0x7fffffff9380 140737488327552 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7ffff6f76be0 140737336798176 r11 0x0 0 r12 0x7ffff456c1a1 140737292714401 r13 0x7ffff6907830 140737330051120 r14 0x1be1d20 29236512 r15 0x4000000 67108864 rip 0x526848 <js::CheckForInterrupt(JSContext*)+56> => 0x526848 <js::CheckForInterrupt(JSContext*)+56>: movl $0x29a,0x0 0x526853 <js::CheckForInterrupt(JSContext*)+67>: callq 0x4a6f30 <abort()>

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160112170633" and the hash "7df7cf796d9ac7de39162e92fdf081f6a69e8746". The "bad" changeset has the timestamp "20160112171030" and the hash "f46824dc517a6b73d1eda31640b18d93e7020a35". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=7df7cf796d9ac7de39162e92fdf081f6a69e8746&tochange=f46824dc517a6b73d1eda31640b18d93e7020a35

Jim, is bug 1236801 a likely regressor? Or can the OOM_VERBOSE=1 stack in comment 2 help you out here?

I can reproduce. Taking.

I think this is the right path. The problem is that the getOrCreate ooms, and then in ErrorReport::init, we go on to call ToString, which invokes script with a pending exception. Since callers believe nullptr result to mean "we can't get one", just swallow the exception and let them think that.

OOM. Not going to uplift. WONTFIX 47, 48.