Closed
Bug 1263879
Opened 9 years ago
Closed 9 years ago
Crash [@ js::str_replace_string_raw] with OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: decoder, Assigned: arai)
References
(Blocks 1 open bug)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update,bisect])
Crash Data
Attachments
(1 file)
|
1.51 KB,
patch
|
h4writer
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 29d5a4175c8b (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe):
lfLogBuffer = `
"".replace([[2], 3])
`.split('\n');
lfCodeBuffer = ""
while (true) {
line = lfLogBuffer.shift()
if (line == null) break
loadFile()
lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer);
function loadFile(lfVarx)
oomTest(function() eval(lfVarx))
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
js::str_replace_string_raw (cx=0x7ffff6908800, string=string@entry=..., pattern=pattern@entry=..., replacement=..., replacement@entry=...) at js/src/jsstr.cpp:2321
#0 js::str_replace_string_raw (cx=0x7ffff6908800, string=string@entry=..., pattern=pattern@entry=..., replacement=..., replacement@entry=...) at js/src/jsstr.cpp:2321
#1 0x0000000000add46d in intrinsic_StringReplaceString (cx=<optimized out>, argc=<optimized out>, vp=0x7ffff31f62a0) at js/src/vm/SelfHosting.cpp:1623
#2 0x0000000000a908c2 in js::CallJSNative (cx=0x7ffff6908800, native=0xadd390 <intrinsic_StringReplaceString(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
#3 0x0000000000a8cdc7 in js::Invoke (cx=cx@entry=0x7ffff6908800, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:476
[...]
#45 0x0000000000000000 in ?? ()
rax 0x0 0
rbx 0x7ffff6908800 140737330055168
rcx 0x0 0
rdx 0x7fffffffa3d0 140737488331728
rsi 0x7ffff694b800 140737330329600
rdi 0x7fffffffa1b0 140737488331184
rbp 0x7fffffffa550 140737488332112
rsp 0x7fffffffa320 140737488331552
r8 0x7ffff7e89180 140737352601984
r9 0x1 1
r10 0x7fffffffa260 140737488331360
r11 0x1b 27
r12 0x7fffffffa570 140737488332144
r13 0x7fffffffa590 140737488332176
r14 0x7fffffffa5a0 140737488332192
r15 0x7ffff6908850 140737330055248
rip 0x99590c <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+156>
=> 0x99590c <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+156>: mov 0x4(%rax),%r15d
0x995910 <js::str_replace_string_raw(JSContext*, JS::Handle<JSString*>, JS::Handle<JSString*>, JS::Handle<JSString*>)+160>: lea -0xc0(%rbp),%rax
|
Assignee | |
Comment 1•9 years ago
|
||
This is a regression from bug 887016.
It's a null pointer dereference because of not-checking the return value of AtomizeString.
I'll prepare a patch shortly.
|
|
Assignee | |
Comment 2•9 years ago
|
||
Just added the null check.
I cannot reduce the testcase from there, so just renamed the variable to somewhat readable.
Attachment #8740793 -
Flags: review?(hv1989)
|
||
Updated•9 years ago
|
Attachment #8740793 -
Flags: review?(hv1989) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c70372e8bd86cfb1c568a20448f88ce88f3c98e9
Bug 1263879 - Check the return value of AtomizeString in str_replace_string_raw. r=h4writer
|
||
Comment 4•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•