Bug 1491326 - Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp
authorJon Coppeard <jcoppeard@mozilla.com>
Tue, 02 Oct 2018 10:36:29 +0100
changeset 487469 cdd5b0bde9c1cc29213e1fb82ce3688799cb8af8
parent 487468 cae1a7f33840ded4f2632eb18ed3a564bce2accf
child 487470 f7d61c61aa340208b4dc64f6b71fac2683750461
push id246
push userfmarier@mozilla.com
push dateSat, 13 Oct 2018 00:15:40 +0000
reviewersnbp
bugs1491326
milestone64.0a1
Bug 1491326 - Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp
js/src/builtin/TestingFunctions.cpp
js/src/jit-test/tests/gc/bug-1491326.js
--- a/js/src/builtin/TestingFunctions.cpp
+++ b/js/src/builtin/TestingFunctions.cpp
@@ -2007,21 +2007,16 @@ ParseIterativeFailureTestParams(JSContex
     }
 
     if (!args[0].isObject() || !args[0].toObject().is<JSFunction>()) {
         JS_ReportErrorASCII(cx, "The first argument must be the function to test.");
         return false;
     }
     params->testFunction = &args[0].toObject().as<JSFunction>();
 
-    // There are some places where we do fail without raising an exception, so
-    // we can't expose this to the fuzzers by default.
-    if (fuzzingSafe)
-        params->expectExceptionOnFailure = false;
-
     if (args.length() == 2) {
         if (args[1].isBoolean()) {
             params->expectExceptionOnFailure = args[1].toBoolean();
         } else if (args[1].isObject()) {
             RootedObject options(cx, &args[1].toObject());
             RootedValue value(cx);
 
             if (!JS_GetProperty(cx, options, "expectExceptionOnFailure", &value)) {
@@ -2038,16 +2033,22 @@ ParseIterativeFailureTestParams(JSContex
                 params->keepFailing = ToBoolean(value);
             }
         } else {
             JS_ReportErrorASCII(cx, "The optional second argument must be an object or a boolean.");
             return false;
         }
     }
 
+    // There are some places where we do fail without raising an exception, so
+    // we can't expose this to the fuzzers by default.
+    if (fuzzingSafe) {
+        params->expectExceptionOnFailure = false;
+    }
+
     // Test all threads by default.
     params->threadStart = oom::FirstThreadTypeToTest;
     params->threadEnd = oom::LastThreadTypeToTest;
 
     // Test a single thread type if specified by the OOM_THREAD environment variable.
     int threadOption = 0;
     if (EnvVarAsInt("OOM_THREAD", &threadOption)) {
         if (threadOption < oom::FirstThreadTypeToTest || threadOption > oom::LastThreadTypeToTest) {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1491326.js
@@ -0,0 +1,9 @@
+// |jit-test| --fuzzing-safe
+
+if (!('oomTest') in this)
+    quit();
+
+var g = newGlobal();
+g.parent = this;
+g.eval("new Debugger(parent).onExceptionUnwind = function() {}");
+oomTest(() => l, (true));