Bug 1491326 - Make oomTest() fuzzing safe by ensuring expectExceptionOnFailure parameter is false when fuzzing r=nbp

js/src/builtin/TestingFunctions.cpp

@@ -2012,11 +2012,6 @@ ParseIterativeFailureTestParams(JSContext* cx, const CallArgs& args,
     }
     params->testFunction = &args[0].toObject().as<JSFunction>();
 
-    // There are some places where we do fail without raising an exception, so
-    // we can't expose this to the fuzzers by default.
-    if (fuzzingSafe)
-        params->expectExceptionOnFailure = false;
-
     if (args.length() == 2) {
         if (args[1].isBoolean()) {
             params->expectExceptionOnFailure = args[1].toBoolean();
@@ -2043,6 +2038,12 @@ ParseIterativeFailureTestParams(JSContext* cx, const CallArgs& args,
         }
     }
 
+    // There are some places where we do fail without raising an exception, so
+    // we can't expose this to the fuzzers by default.
+    if (fuzzingSafe) {
+        params->expectExceptionOnFailure = false;
+    }
+
     // Test all threads by default.
     params->threadStart = oom::FirstThreadTypeToTest;
     params->threadEnd = oom::LastThreadTypeToTest;

js/src/jit-test/tests/gc/bug-1491326.js

@@ -0,0 +1,9 @@
+// |jit-test| --fuzzing-safe
+
+if (!('oomTest') in this)
+    quit();
+
+var g = newGlobal();
+g.parent = this;
+g.eval("new Debugger(parent).onExceptionUnwind = function() {}");
+oomTest(() => l, (true));