Crash due to Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216

RESOLVED WONTFIX

Status

()

Core
JavaScript Engine
RESOLVED WONTFIX
3 years ago
3 years ago

People

(Reporter: Spandan Veggalam, Unassigned)

Tracking

Trunk
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:41.0) Gecko/20100101 Firefox/41.0
Build ID: 20151001175629

Steps to reproduce:

mozilla-central revision 3d7532ce81ac (build with: --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --enable-debug)

crashes with shell options
1.  --ion-eager --ion-offthread-compile=off --fuzzing-safe -f 
2. --ion-eager --ion-offthread-compile=off --non-writable-jitcode --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads --fuzzing-safe -f 

var lfcode = new Array();
lfcode.push(`
    var j = 0;
`);
lfcode.push(`
    oomAfterAllocations(50);
    try {
        eval("this = true");
    } catch (e) {
        exception = e.toString(0, 0);
    }
    `);
while (lfcode.length > 0) {
    var file = lfcode.shift();
    loadFile(file)
}
function loadFile(lfVarx) {
    try {
        if (lfVarx.substr(-3) != ".js" && lfVarx.length != 1) {
           evaluate(lfVarx);
       }
   } catch (lfVare) {}
}





Actual results:

Assertion failure: [unhandlable oom] ExceptionHandlerBailout, at js/src/jscntxt.cpp:1216 Hit MOZ_CRASH() at js/src/jscntxt.cpp:1217
Group: core-security → javascript-core-security
Flags: sec-bounty?
Is there any evidence this is exploitable? It looks like a self-crash to prevent further corruption.
Flags: needinfo?(choller)
This is an expected crash, not a security bug and also not a bug in general. For some types of OOM conditions, we force a (safe) crash instead of trying to handle the condition.

For further testing, you should ignore all Crashes that print [unhandlable oom] on stderr.
Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(choller)
Resolution: --- → INVALID
Flags: sec-bounty? → sec-bounty-
(Reporter)

Updated

3 years ago
Resolution: INVALID → WONTFIX
You need to log in before you can comment on or make changes to this bug.