Closed
Bug 1213924
Opened 9 years ago
Closed 9 years ago
Crash due to Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: spandan.veggalam, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0 Build ID: 20151001175629 Steps to reproduce: mozilla-central revision 3d7532ce81ac (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug) crashes with shell options 1. --ion-eager --ion-offthread-compile=off --fuzzing-safe -f 2. --ion-eager --ion-offthread-compile=off --non-writable-jitcode --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads --fuzzing-safe -f var lfcode = new Array(); lfcode.push(` var j = 0; `); lfcode.push(` oomAfterAllocations(50); try { eval("this = true"); } catch (e) { exception = e.toString(0, 0); } `); while (lfcode.length > 0) { var file = lfcode.shift(); loadFile(file) } function loadFile(lfVarx) { try { if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) { evaluate(lfVarx); } } catch (lfVare) {} } Actual results: Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216 Hit MOZ_CRASH() at js/src/jscntxt.cpp:1217
Updated•9 years ago
|
Group: core-security → javascript-core-security
Updated•9 years ago
|
Flags: sec-bounty?
Comment 1•9 years ago
|
||
Is there any evidence this is exploitable? It looks like a self-crash to prevent further corruption.
Flags: needinfo?(choller)
Comment 2•9 years ago
|
||
This is an expected crash, not a security bug and also not a bug in general. For some types of OOM conditions, we force a (safe) crash instead of trying to handle the condition. For further testing, you should ignore all Crashes that print [unhandlable oom] on stderr.
Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Flags: needinfo?(choller)
Resolution: --- → INVALID
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty-
Reporter | ||
Updated•9 years ago
|
Resolution: INVALID → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•