1213924 - Crash due to Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216

Status: RESOLVED WONTFIX

(Core :: JavaScript Engine, defect)

Description

[Spandan Veggalam]

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151001175629

Steps to reproduce:

mozilla-central revision 3d7532ce81ac (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug)

crashes with shell options
1.  --ion-eager --ion-offthread-compile=off --fuzzing-safe -f 
2. --ion-eager --ion-offthread-compile=off --non-writable-jitcode --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads --fuzzing-safe -f 

var lfcode = new Array();
lfcode.push(`
    var j = 0;
`);
lfcode.push(`
    oomAfterAllocations(50);
    try {
        eval("this = true");
    } catch (e) {
        exception = e.toString(0, 0);
    }
    `);
while (lfcode.length > 0) {
    var file = lfcode.shift();
    loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
           evaluate(lfVarx);
       }
   } catch (lfVare) {}
}





Actual results:

Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216 Hit MOZ_CRASH() at js/src/jscntxt.cpp:1217

Comment 1

[Daniel Veditz [:dveditz]]

Is there any evidence this is exploitable? It looks like a self-crash to prevent further corruption.

Comment 2

[Christian Holler (:decoder)]

This is an expected crash, not a security bug and also not a bug in general. For some types of OOM conditions, we force a (safe) crash instead of trying to handle the condition.

For further testing, you should ignore all Crashes that print [unhandlable oom] on stderr.