Closed
Bug 698584
Opened 13 years ago
Closed 13 years ago
OOM crash [@ JSString::isLinear] with regular expression
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: evilpie)
References
Details
(Keywords: crash, testcase, Whiteboard: js-triage-needed)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.22 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision 322354df233d (options -m -n -a), armv7-a arch only (I am not sure if this is an ARM issue or if it's due to the memory restrictions of the ARM board):
const MAX = 10000;
var str = "";
for (var i = 0; i < MAX; ++i) {
/x/.test(str);
str += str + 'xxxxxxxxxxxxxx';
}
Backtrace of crash:
Program received signal SIGSEGV, Segmentation fault.
0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
329 return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0 0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
#1 0x00042fbc in JSLinearString::chars (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:457
#2 0x0020a194 in ExecuteRegExp (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, argc=1, vp=0x4048e058)
at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:538
#3 0x0020a3cc in js::regexp_test (cx=0x4a2b38, argc=1, vp=0x4048e058) at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:590
#4 0x000f0dba in js::CallJSNative (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:297
#5 0x00300c00 in CallCompiler::generateNativeStub (this=0xbedd6300) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:939
#6 0x002fcdd6 in js::mjit::ic::NativeCall (f=..., ic=0x4a7c98) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1173
#7 0x0028966e in JaegerStubVeneer () at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:164
#8 0x4089165c in ?? ()
I think this could be an allocation failing due to oom where the allocating function returns NULL instead and the error is not checked, leading to a null-deref (not security relevant in that case).
|
Reporter | |
Updated•13 years ago
|
Whiteboard: js-triage-needed
|
Assignee | |
Updated•13 years ago
|
Assignee: general → evilpies
|
|
Assignee | |
Comment 1•13 years ago
|
||
Untested but should fix this.
|
||
Comment 2•13 years ago
|
||
Try run for 5a1614379c50 is complete.
Detailed breakdown of the results available here:
https://tbpl.mozilla.org/?tree=Try&rev=5a1614379c50
Results (out of 19 total builds):
success: 14
warnings: 5
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-5a1614379c50|
|
Assignee | |
Comment 3•13 years ago
|
||
Not sure how to test, but didn't crash on Android test run.
Attachment #570845 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•13 years ago
|
Attachment #571114 -
Flags: review?(mrbkap)
|
||
Updated•13 years ago
|
Attachment #571114 -
Flags: review?(mrbkap) → review+
|
||
Comment 4•13 years ago
|
||
Backed out along with bug 430927 because of test failures on inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/04505e53439e This patch can re-land if it is not responsible for the test failures.
|
|
||
Comment 5•13 years ago
|
||
Try run for 57e8ba5a8d21 is complete.
Detailed breakdown of the results available here:
https://tbpl.mozilla.org/?tree=Try&rev=57e8ba5a8d21
Results (out of 18 total builds):
exception: 16
failure: 2
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-57e8ba5a8d21|
|
||
Comment 6•13 years ago
|
||
Try run for a45235903f82 is complete.
Detailed breakdown of the results available here:
https://tbpl.mozilla.org/?tree=Try&rev=a45235903f82
Results (out of 88 total builds):
exception: 41
success: 5
warnings: 3
failure: 39
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-a45235903f82|
|
||
Comment 7•13 years ago
|
||
Try run for 2d87fa073ff9 is complete.
Detailed breakdown of the results available here:
https://tbpl.mozilla.org/?tree=Try&rev=2d87fa073ff9
Results (out of 193 total builds):
success: 184
warnings: 9
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-2d87fa073ff9|
|
Assignee | |
Comment 8•13 years ago
|
||
http://hg.mozilla.org/integration/mozilla-inbound/rev/9a95c40a398d
|
||
Comment 9•13 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9a95c40a398d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10
|
|
Reporter | |
Comment 10•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug698584.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•