Closed
Bug 1248321
Opened 9 years ago
Closed 9 years ago
Crash due to Assertion failure: JSScript::argumentsOptimizationFailed, at js/src/jscntxt.cpp:1221
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: spandan.veggalam, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:44.0) Gecko/20100101 Firefox/44.0
Build ID: 20160209234513
Steps to reproduce:
The following testcase crashes on mozilla-central version 7042e8a19f94 (build options --enable-optimize --enable-valgrind --enable-gczeal --enable-debug)
gcparam("maxBytes", gcparam("gcBytes") + 4 * 1024);
var max = 400;
function f(b) {
if (b) {
f(b - 1);
} else {
g = RegExp.prototype.__proto__;
}
g.apply(null, arguments);
}
f(max - 1);
Actual results:
Assertion failure: [unhandlable oom] JSScript::argumentsOptimizationFailed, at js/src/jscntxt.cpp:1221
Comment 1•9 years ago
|
||
It looks like this code was added in bug 978802. Jon, could you take a look at this? How much of a security issue is this?
Comment 2•9 years ago
|
||
(In reply to Spandan Veggalam from comment #0)
> Actual results:
>
> Assertion failure: [unhandlable oom] JSScript::argumentsOptimizationFailed,
> at js/src/jscntxt.cpp:1221
This is not a security issue or a bug. Unhandlable OOMs are expected and fuzzers should ignore them :)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → INVALID
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•