The following testcase crashes on mozilla-central revision da268c77ac76 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --without-intl-api --enable-optimize --target=i686-pc-linux-gnu, run with --fuzzing-safe): var g = newGlobal(); g.parent = this; g.eval("new Debugger(parent).onExceptionUnwind = function() {}"); oomTest(() => l, (true)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774 #0 0x56a74cc7 in RunIterativeFailureTest (simulator=<synthetic pointer>, params=..., cx=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1774 #1 OOMTest (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1901 #2 0x5676149a in CallJSNative (cx=0xf6e1b800, native=0x56a745d0 <OOMTest(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:449 [...] #17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9986 eax 0x0 0 ebx 0x0 0 ecx 0xf7d92864 -136763292 edx 0x0 0 esi 0xf6e1b800 -152979456 edi 0x573ebff4 1463730164 ebp 0xffffcd28 4294954280 esp 0xffffcc80 4294954112 eip 0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783> => 0x56a74cc7 <OOMTest(JSContext*, unsigned int, JS::Value*)+1783>: movl $0x0,0x0 0x56a74cd1 <OOMTest(JSContext*, unsigned int, JS::Value*)+1793>: ud2

JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20160115010341" and the hash "32a8c6a3be186bbc1f39da147eb09b087ed322e3". The "bad" changeset has the timestamp "20160115014842" and the hash "df444117c7bea0a407387dca31ed54c3598b054a". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=32a8c6a3be186bbc1f39da147eb09b087ed322e3&tochange=df444117c7bea0a407387dca31ed54c3598b054a

oomTest() currently isn't fuzzing safe because we can set the expectExceptionOnFailure to true and this expectation doesn't hold for all JS we might test (notable debugging stuff). The patch ensures this is always false when fuzzing.

Comment on attachment 9013321 [details] [diff] [review] bug1491326-oomtest-fuzz-safety Review of attachment 9013321 [details] [diff] [review]: ----------------------------------------------------------------- Sorry for not catching this one before :/ ::: js/src/builtin/TestingFunctions.cpp @@ +2040,5 @@ > > + // There are some places where we do fail without raising an exception, so > + // we can't expose this to the fuzzers by default. > + if (fuzzingSafe) > + params->expectExceptionOnFailure = false; nit: Add curly braces.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/cdd5b0bde9c1 Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/0516dd5fc8ac Fix typo in test code r=me on a CLOSED TREE

https://hg.mozilla.org/mozilla-central/rev/cdd5b0bde9c1 https://hg.mozilla.org/mozilla-central/rev/0516dd5fc8ac