The following testcase crashes on mozilla-central revision e49151136658 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off): loadFile(` disassemble(function() { return assertDeepEq(x.concat(obj), [1, 2, 3, "hey"]); }) `); function loadFile(lfVarx) { oomTest(new Function(lfVarx)); } Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000502cb0 in js::CheckForInterrupt (cx=cx@entry=0x7ffff6924000) at js/src/jscntxtinlines.h:409 #0 0x0000000000502cb0 in js::CheckForInterrupt (cx=cx@entry=0x7ffff6924000) at js/src/jscntxtinlines.h:409 #1 0x00000000004f4ae8 in array_toSource (cx=0x7ffff6924000, argc=<optimized out>, vp=<optimized out>) at js/src/jsarray.cpp:1112 #2 0x000000000054167f in js::CallJSNative (cx=cx@entry=0x7ffff6924000, native=0x4f4c50 <array_toSource(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293 #3 0x0000000000537083 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6924000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470 #4 0x0000000000537498 in InternalCall (cx=cx@entry=0x7ffff6924000, args=...) at js/src/vm/Interpreter.cpp:515 #5 0x00000000005375cd in js::Call (cx=cx@entry=0x7ffff6924000, fval=..., fval@entry=..., thisv=..., thisv@entry=..., args=..., rval=..., rval@entry=...) at js/src/vm/Interpreter.cpp:534 #6 0x0000000000a1f38a in js::Call (rval=..., thisObj=<optimized out>, fval=..., cx=0x7ffff6924000) at js/src/vm/Interpreter.h:94 #7 js::ValueToSource (cx=cx@entry=0x7ffff6924000, v=..., v@entry=...) at js/src/jsstr.cpp:3565 #8 0x0000000000a1f72f in js::ValueToPrintable (cx=cx@entry=0x7ffff6924000, vArg=..., bytes=bytes@entry=0x7fffffffbcb0, asSource=asSource@entry=true) at js/src/jsstr.cpp:3445 #9 0x0000000000a1f993 in ToDisassemblySource (cx=0x7ffff6924000, v=v@entry=..., bytes=bytes@entry=0x7fffffffbcb0) at js/src/jsopcode.cpp:1226 #10 0x0000000000a22084 in Disassemble1 (cx=cx@entry=0x7ffff6924000, script=..., pc=pc@entry=0x7ffff43441ae "f", loc=<optimized out>, lines=lines@entry=false, parser=parser@entry=0x7fffffffbe30, sp=0x7fffffffc0d0) at js/src/jsopcode.cpp:1533 #11 0x0000000000a23287 in DisassembleAtPC (cx=cx@entry=0x7ffff6924000, scriptArg=<optimized out>, lines=lines@entry=false, pc=pc@entry=0x0, showAll=false, sp=sp@entry=0x7fffffffc0d0, showAll=false) at js/src/jsopcode.cpp:1131 #12 0x0000000000a235b8 in js::Disassemble (cx=cx@entry=0x7ffff6924000, script=..., script@entry=..., lines=lines@entry=false, sp=sp@entry=0x7fffffffc0d0) at js/src/jsopcode.cpp:1144 #13 0x0000000000458c77 in DisassembleScript (cx=cx@entry=0x7ffff6924000, script=script@entry=..., fun=fun@entry=..., lines=lines@entry=false, recursive=recursive@entry=false, sourceNotes=sourceNotes@entry=true, sp=0x7fffffffc0d0) at js/src/shell/js.cpp:2637 #14 0x0000000000459429 in DisassembleToSprinter (cx=cx@entry=0x7ffff6924000, argc=argc@entry=1, vp=vp@entry=0x7fffffffc178, sprinter=sprinter@entry=0x7fffffffc0d0) at js/src/shell/js.cpp:2742 #15 0x00000000004597a1 in DisassembleToString (cx=0x7ffff6924000, argc=<optimized out>, vp=0x7fffffffc178) at js/src/shell/js.cpp:2757 #16 0x000000450fb4a463 in ?? () #17 0x00007ffff470cf40 in ?? () #18 0x00007fffffffc150 in ?? () #19 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7ffff6924000 140737330167808 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffb650 140737488336464 rsp 0x7fffffffb640 140737488336448 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x58 88 r11 0x7ffff6b9f750 140737332770640 r12 0x7fffffffb6c0 140737488336576 r13 0x7fffffffb6e0 140737488336608 r14 0x0 0 r15 0x7ffff6924000 140737330167808 rip 0x502cb0 <js::CheckForInterrupt(JSContext*)+96> => 0x502cb0 <js::CheckForInterrupt(JSContext*)+96>: movl $0x0,0x0 0x502cbb <js::CheckForInterrupt(JSContext*)+107>: ud2

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/2c0348248944 user: Tooru Fujisawa date: Mon Feb 27 20:02:56 2017 +0900 summary: Bug 1322019 - Part 5: Print stack transition in dis() function output. r=nbp This iteration took 268.296 seconds to run.

Arai-san, is bug 1322019 a likely regressor?

Looks like the specific line was pre-existing, but apparently newly added code in bug 1322019 discovered the issue. I was about to add MOZ_MUST_USE to printer methods (put, printf, etc) but apparently OOM is supposed to be checked later with hadOutOfMemory method, and so many places calls those methods without checking the return value. so, for now I just added the check for return value to the specific code. the testcase calls disassemble unconditionally, but it also passes even if disassemble is not available (since it's oom test), might be better checking the existence of disassemble first?

https://hg.mozilla.org/integration/mozilla-inbound/rev/650c65dc3e87374d2fef22bc1edb5124567a69a2 Bug 1375446 - Check the return code of Sprinter::put in Disassemble1. r=nbp

Is there enough of a user impact here to justify backporting this to Beta for Fx55 or should we just let it ride the trains?

this is shell-only feature, and not exposed to browser and there's no user impact. I don't think it needs backport, unless fuzzer is hitting this frequently.