Closed
Bug 948188
Opened 11 years ago
Closed 11 years ago
Handle OOM in NewPropertyIteratorObject
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: decoder, Assigned: decoder)
References
(Blocks 1 open bug)
Details
(Keywords: crash, Whiteboard: [qa-])
Crash Data
Attachments
(1 file)
1.12 KB,
patch
|
n.nethercote
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
In NewPropertyIteratorObject we seem to be calling NewBuiltinClassInstance without checking its return value, although it's fallible:
> return &NewBuiltinClassInstance(cx, &PropertyIteratorObject::class_)->as<PropertyIteratorObject>();
The attached patch checks the return value first and returns NULL on failure. This fixes an OOM crash bug for me that the fuzzer keeps hitting.
Assignee | ||
Comment 1•11 years ago
|
||
Yay, Bugzilla ate my attachment \o/ njn, can you review this? Blame tells me you added the line in question :) Thanks!
Assignee: general → choller
Status: NEW → ASSIGNED
Attachment #8344973 -
Flags: review?(n.nethercote)
Comment 3•11 years ago
|
||
Comment on attachment 8344973 [details] [diff] [review] js-NewPropertyIteratorObject-oom.patch Review of attachment 8344973 [details] [diff] [review]: ----------------------------------------------------------------- I suspect I refactored that line but didn't add it originally. But the patch is simple and looks fine. Thanks!
Attachment #8344973 -
Flags: review?(n.nethercote) → review+
Assignee | ||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/ad9945733719
Comment 5•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/ad9945733719
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Comment 6•11 years ago
|
||
Christian: should this OOM fix be uplifted to Aurora 28 and Beta 27?
Flags: needinfo?(choller)
Assignee | ||
Comment 7•11 years ago
|
||
It's not necessary to uplift OOM fixes unless we see them in some crash stats. Uplifting to Aurora would surely be possible (easy fix, and less crashes in fuzzing then).
Flags: needinfo?(choller)
Assignee | ||
Comment 8•11 years ago
|
||
Comment on attachment 8344973 [details] [diff] [review] js-NewPropertyIteratorObject-oom.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): N/A User impact if declined: Crashes with OOM conditions Testing completed (on m-c, etc.): A few days on mozilla-central Risk to taking this patch (and alternatives if risky): Not risky, patch is very simple (just adding a null check). String or IDL/UUID changes made by this patch: None
Attachment #8344973 -
Flags: approval-mozilla-aurora?
Comment 9•11 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #7) > It's not necessary to uplift OOM fixes unless we see them in some crash > stats. During the Aurora timeframe, I would think the bar would be pretty low with respect to taking potential stability fixes. If it's simple and low-risk, I would argue to just take it whether it's in crash stats. On beta, sure the bar is higher :)
Updated•11 years ago
|
Attachment #8344973 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 10•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/75a2bbd8c4b6
status-firefox28:
--- → fixed
Updated•11 years ago
|
status-firefox29:
--- → fixed
Comment 11•11 years ago
|
||
I don't think this needs QA verification. If anyone thinks that's a mistake please remove the [qa-] whiteboard tag and add the verifyme keyword.
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•