The following testcase crashes on mozilla-central revision efccb758c78c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --baseline-eager): oomTest(new Function(` var a = ['p', 'q', 'r', 's', 't']; var o = {p:1, q:2, r:3, s:4, t:5}; for (var i in o) delete o[i]; for (var i of a) o.hasOwnProperty(undefined + this, false); `)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x00005555559ac3c0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130 #0 0x00005555559ac3c0 in js::AutoAssertNoPendingException::~AutoAssertNoPendingException (this=<optimized out>, __in_chrg=<optimized out>) at js/src/jsexn.h:130 #1 0x000055555599f824 in js::jit::HasPropIRGenerator::tryAttachStub (this=this@entry=0x7fffffffb630) at js/src/jit/CacheIR.cpp:3213 #2 0x000055555590d6f7 in js::jit::DoHasOwnFallback (cx=<optimized out>, frame=<optimized out>, stub_=<optimized out>, keyValue=..., objValue=..., res=...) at js/src/jit/BaselineIC.cpp:2331 #3 0x00003b2d9a4c6bb3 in ?? () [...] #57 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x1 1 rcx 0x7ffff6c1c2dd 140737333281501 rdx 0x0 0 rsi 0x7ffff6eeb770 140737336227696 rdi 0x7ffff6eea540 140737336223040 rbp 0x7fffffffb4c0 140737488336064 rsp 0x7fffffffb4c0 140737488336064 r8 0x7ffff6eeb770 140737336227696 r9 0x7ffff7fe6780 140737354033024 r10 0x58 88 r11 0x7ffff6b927a0 140737332717472 r12 0x7fffffffb500 140737488336128 r13 0x7fffffffb520 140737488336160 r14 0x1 1 r15 0x7fffffffb630 140737488336432 rip 0x5555559ac3c0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48> => 0x5555559ac3c0 <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+48>: movl $0x0,0x0 0x5555559ac3cb <js::AutoAssertNoPendingException::~AutoAssertNoPendingException()+59>: ud2

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/5e1a2ab034ae user: Tom Schuster date: Thu Apr 13 22:17:57 2017 +0200 summary: Bug 1344469 - Part 4 - Megamorphic stub. r=jandem This iteration took 261.879 seconds to run.

Tom, is bug 1344469 a likely regressor?

I'm taking this bug to as a good first JIT bug for Iain.

https://searchfox.org/mozilla-central/rev/6c82481caa506a240a626bb44a2b8cbe0eedb3a0/js/src/jit/VMFunctions.cpp#1752 This is leaking an OOM into a number of signatures. It probably fill fix a few OOM jit fuzz bugs. We should have an AutoNoPendingException for the ValueToAtomOrSymbol. It might be fine to just pass nullptr for cx.

nullptr for cx isn't valid for AtomizeString, so just capturing the exception in ValueToAtomOrSymbol is probably best.

Comment on attachment 9010641 [details] Bug 1491350: Clear pending OOM exceptions before returning from hasNativeProperty / getNativePropertyByValue Ted Campbell [:tcampbell] has approved the revision.

Pushed by tcampbell@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2b5b7bd869ac Clear pending OOM exceptions before returning from hasNativeProperty / getNativePropertyByValue r=tcampbell