501 bytes, text/plain
The following testcase crashes on mozilla-central revision f19ca5123d6a (run with --fuzzing-safe): gc(); var f = Function("a", "b", "return a + b;"); oomAfterAllocations(2); f.toSource();
Trace from an optimized ASan build: Program received signal SIGSEGV, Segmentation fault. 0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036 1036 if (mLength == mCapacity && !growStorageBy(1)) #0 0x090233f6 in js::FillBindingVector (fromScript=0xee333180, vec=<optimized out>) at ../../dist/include/mozilla/Vector.h:1036 #1 0x08d58117 in js::FunctionToString (fun=, bodyOnly=<optimized out>, lambdaParen=<optimized out>, cx=<optimized out>) at js/src/jsfun.cpp:899 #2 0x08dda413 in fun_toStringHelper (cx=<optimized out>, obj=<error reading variable: Cannot access memory at address 0x0>, indent=<optimized out>) at js/src/jsfun.cpp:997 #3 0x08de0e15 in fun_toSource (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/jsfun.cpp:1036 #4 0x0926a4b5 in js::Invoke (args=..., cx=<optimized out>, construct=<optimized out>) at js/src/jscntxtinlines.h:241 #5 0x0925560b in Interpret (cx=0xee333180, state=...) at js/src/vm/Interpreter.cpp:2566 #6 0x0922da28 in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:402 #7 0x091fc58b in js::ExecuteKernel (script=<error reading variable: Cannot access memory at address 0x0>, evalInFrame=..., result=<optimized out>, cx=<optimized out>, scopeChainArg=..., thisv=..., type=<optimized out>) at js/src/vm/Interpreter.cpp:610 ebx 0x971cff4 158453748 esi 0x8 8 Vector(JS::Handle<JSScript*>, js::Vector<js::Binding, 32u, js::TempAllocPolicy>*)+246>: mov (%esi),%ebx Needinfo on Jason since he wanted some more OOM bugs :)
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/b2de3b90184a user: Sean Stangl date: Fri Dec 13 14:49:26 2013 -0800 summary: Bug 946481 - Add xaddl to Assembler-x86-shared. r=efaust This iteration took 315.823 seconds to run.
JSBugMon: The testcase found in this bug no longer reproduces (tried revision d2d56f9066bf).
FillBindingVector has been removed from our codebase. The new way of iterating through bindings in FunctionToString seems memory safe.