The following testcase crashes on mozilla-central revision cd9c8c48e4b3 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

stackTest(new Function(`
  var g = newGlobal();
  var dbg = new Debugger(g);
  dbg.onDebuggerStatement = function (frame) {
    assertEq(frame.evalWithBindings("x", {x: 2}).return, 2);
  g.eval("function f(y) { debugger; }");


 received signal SIGSEGV, Segmentation fault.
0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110
#0  0x0000000000980cb3 in JSContext::recoverFromOutOfMemory (this=0x7ffff6955000) at js/src/jscntxt.cpp:1110
#1  0x0000000000b3ed8c in js::DebugEnvironments::takeFrameSnapshot (cx=cx@entry=0x7ffff6955000, debugEnv=..., debugEnv@entry=..., frame=...) at js/src/vm/EnvironmentObject.cpp:2723
#2  0x0000000000b459f4 in js::DebugEnvironments::onPopCall (cx=cx@entry=0x7ffff6955000, frame=...) at js/src/vm/EnvironmentObject.cpp:2772
#3  0x000000000053dd1b in PopEnvironment (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1083
#4  0x000000000053deeb in js::UnwindAllEnvironmentsInFrame (cx=cx@entry=0x7ffff6955000, ei=...) at js/src/vm/Interpreter.cpp:1146
#5  0x0000000000c42ac5 in js::InterpreterFrame::epilogue (this=0x7ffff42960c0, cx=0x7ffff6955000, pc=0x7ffff2ff020f "\231Ǘ\020\221\n") at js/src/vm/Stack.cpp:281
#6  0x000000000054b6a8 in Interpret (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:4347
#7  0x0000000000551181 in js::RunScript (cx=0x7ffff6955000, state=...) at js/src/vm/Interpreter.cpp:435
#8  0x000000000055187f in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:513
#9  0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540
#10 0x0000000000551d20 in js::Call (cx=<optimized out>, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:559
#11 0x0000000000ab99b4 in js::ForwardingProxyHandler::call (this=<optimized out>, cx=0x7ffff6955000, proxy=..., args=...) at js/src/proxy/Wrapper.cpp:175
#12 0x0000000000aa584b in js::CrossCompartmentWrapper::call (this=0x1f13450 <js::CrossCompartmentWrapper::singleton>, cx=0x7ffff6955000, wrapper=..., args=...) at js/src/proxy/CrossCompartmentWrapper.cpp:359
#13 0x0000000000ab0165 in js::Proxy::call (cx=0x7ffff6955000, proxy=proxy@entry=..., args=...) at js/src/proxy/Proxy.cpp:497
#14 0x0000000000ab1d5d in js::proxy_Call (cx=0x7ffff6955000, argc=<optimized out>, vp=<optimized out>) at js/src/proxy/Proxy.cpp:772
#15 0x000000000055d391 in js::CallJSNative (cx=0x7ffff6955000, native=0xab1ce0 <js::proxy_Call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#16 0x0000000000551a19 in js::InternalCallOrConstruct (cx=cx@entry=0x7ffff6955000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:477
#17 0x0000000000551bbd in InternalCall (cx=0x7ffff6955000, args=...) at js/src/vm/Interpreter.cpp:540
#18 0x0000000000551cea in js::CallFromStack (cx=<optimized out>, args=...) at js/src/vm/Interpreter.cpp:546
#19 0x000000000063cea3 in js::jit::DoCallFallback (cx=0x7ffff6955000, frame=0x7fffffffcb68, stub_=<optimized out>, argc=<optimized out>, vp=0x7fffffffcb08, res=...) at js/src/jit/BaselineIC.cpp:2586
#20 0x00002282dd93628b in ?? ()
This could be a wrong assertion. Given the testcase, it seems likely that some call here can fail due to being out of stack space rather than regular OOM.
JSBugMon: Bisection requested, result:
The first bad revision is:

The first bad revision is:
user:        Christian Holler
date:        Wed Sep 20 14:19:21 2017 +0200
summary:     Bug 1395240 - Implement stackTest function for JS stack OOM testing. r=jandem

This bug is occurring highly frequently, marking as fuzzblocker.
Attached patch PatchSplinter Review
We call recoverFromOutOfMemory but the code can also throw overrecursion (when resolving the Array prototype under NewArray).
Pushed by
Also handle overrecursion in DebugEnvironments::takeFrameSnapshot. r=jonco
