Closed Bug 1248321 Opened 9 years ago Closed 9 years ago

Crash due to Assertion failure: JSScript::argumentsOptimizationFailed, at js/src/jscntxt.cpp:1221

Categories

(Core :: JavaScript Engine, defect)

47 Branch
defect
Not set
normal

Tracking

()

RESOLVED INVALID

People

(Reporter: spandan.veggalam, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20160209234513 Steps to reproduce: The following testcase crashes on mozilla-central version 7042e8a19f94 (build options --enable-optimize --enable-valgrind --enable-gczeal --enable-debug) gcparam("maxBytes", gcparam("gcBytes") + 4 * 1024); var max = 400; function f(b) { if (b) { f(b - 1); } else { g = RegExp.prototype.__proto__; } g.apply(null, arguments); } f(max - 1); Actual results: Assertion failure: [unhandlable oom] JSScript::argumentsOptimizationFailed, at js/src/jscntxt.cpp:1221
It looks like this code was added in bug 978802. Jon, could you take a look at this? How much of a security issue is this?
(In reply to Spandan Veggalam from comment #0) > Actual results: > > Assertion failure: [unhandlable oom] JSScript::argumentsOptimizationFailed, > at js/src/jscntxt.cpp:1221 This is not a security issue or a bug. Unhandlable OOMs are expected and fuzzers should ignore them :)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Group: core-security
You need to log in before you can comment on or make changes to this bug.