The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe): lfLogBuffer = `this[''] = function() {}`; loadFile(lfLogBuffer); loadFile(lfLogBuffer); function loadFile(lfVarx) oomTest(function() parseModule(lfVarx)) Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x0000000000c16472 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffafd0) at js/src/frontend/BytecodeCompiler.cpp:617 #0 0x0000000000c16472 in BytecodeCompiler::compileModule (this=this@entry=0x7fffffffafd0) at js/src/frontend/BytecodeCompiler.cpp:617 #1 0x0000000000c16775 in js::frontend::CompileModule (cx=cx@entry=0x7ffff6908800, optionsInput=..., srcBuf=..., alloc=<optimized out>, alloc@entry=0x0, sourceObjectOut=sourceObjectOut@entry=0x0) at js/src/frontend/BytecodeCompiler.cpp:784 #2 0x0000000000495b40 in ParseModule (cx=0x7ffff6908800, argc=<optimized out>, vp=0x7fffffffc178) at js/src/shell/js.cpp:3594 #3 0x00007ffff7fcfa38 in ?? () #4 0x00007ffff7e667c0 in ?? () #5 0x00007fffffffc150 in ?? () #6 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffa8e0 140737488333024 rcx 0x7ffff6ca588d 140737333844109 rdx 0x0 0 rsi 0x7ffff6f7a9d0 140737336814032 rdi 0x7ffff6f791c0 140737336807872 rbp 0x7fffffffaec0 140737488334528 rsp 0x7fffffffa8a0 140737488332960 r8 0x7ffff7fdf7c0 140737354004416 r9 0x6372732f736a2f6c 7165916604736876396 r10 0x7fffffffa660 140737488332384 r11 0x7ffff6c27ee0 140737333329632 r12 0x7fffffffa900 140737488333056 r13 0x7fffffffa8f0 140737488333040 r14 0x7ffff698b020 140737330589728 r15 0x7fffffffafd0 140737488334800 rip 0xc16472 <BytecodeCompiler::compileModule()+1490> => 0xc16472 <BytecodeCompiler::compileModule()+1490>: movl $0x269,0x0 0xc1647d <BytecodeCompiler::compileModule()+1501>: callq 0x4ab6f0 <abort()>

Backtrace for simulated OOM that precedes the crash: * thread #1: js_failedAllocBreakpoint at Utility.h:108 Stop reason = breakpoint 1.1 * 0: js_failedAllocBreakpoint at Utility.h:108 1: js::oom::ShouldFailWithOOM at Utility.h:154 2: js_malloc at Utility.h:236 3: js::Sprinter::init at Printer.cpp:113 4: js::QuoteString at Printer.cpp:380 5: (anonymous namespace)::NameResolver::appendPropertyReference at NameFunctions.cpp:51 6: (anonymous namespace)::NameResolver::nameExpression at NameFunctions.cpp:74 7: (anonymous namespace)::NameResolver::resolveFun at NameFunctions.cpp:215 8: (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:343 9: (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:457 10: (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:425 11: (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:686 12: (anonymous namespace)::NameResolver::resolve at NameFunctions.cpp:790 13: js::frontend::NameFunctions at NameFunctions.cpp:823 14: BytecodeCompiler::compileModule at BytecodeCompiler.cpp:588 15: js::frontend::CompileModule at BytecodeCompiler.cpp:784 16: ParseModule at js.cpp:3594

Patch to name the nameFunction method discriminate between an error condition and simply not finding a name for the function.

Comment on attachment 8740397 [details] [diff] [review] bug1263871-name-function-oom Review of attachment 8740397 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/frontend/NameFunctions.cpp @@ +109,1 @@ > */ That comment doesn't apply at all anymore, right? We separated out failure to the return value only.