Closed
Bug 1264612
Opened 8 years ago
Closed 8 years ago
Crash [@ ??] with RegExp and OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1262936
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision fb921246e2d6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager): var lfLogBuffer = ` s = "x"; for (i = 0; i != 13; i++) s += s; b = /(x)*/.exec(s); `.split('\n'); lfCodeBuffer = "" while (true) { line = lfLogBuffer.shift() if (line == null) { break } lfCodeBuffer += line + "\n" } loadFile(lfCodeBuffer) function loadFile(lfVarx) { oomTest(function() { eval(lfVarx) }) } Backtrace: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7f9db2f in ?? () #0 0x00007ffff7f9db2f in ?? () #1 0x00007ffff4744000 in ?? () #2 0x0000000000000000 in ?? () rax 0x7ffff4746000 140737294655488 rbx 0x0 0 rcx 0xa 10 rdx 0xffffffffffffe000 -8192 rsi 0x0 0 rdi 0x7fffffff9790 140737488328592 rbp 0x7ffff7f9dcba 140737353735354 rsp 0x7fffffff9708 140737488328456 r8 0x7ffff4746000 140737294655488 r9 0x7fffffff9a70 140737488329328 r10 0xfffffffffffff000 -4096 r11 0x7ffff695c208 140737330397704 r12 0x7ffff698c6d0 140737330595536 r13 0x7fffffff99e0 140737488329184 r14 0x7ffff6908800 140737330055168 r15 0x7fffffff9890 140737488328848 rip 0x7ffff7f9db2f 140737353734959 => 0x7ffff7f9db2f: mov %rbp,(%rbx) 0x7ffff7f9db32: add $0x8,%rbx Marking s-s because it's a heap crash. Deref is at null, so we can unhide the bug if it was confirmed that this is always a null deref.
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ac58a56021ac user: Andrea Marchesini date: Sat Mar 19 14:32:18 2016 +0100 summary: Bug 1173320 - patch 1/8 - Implement Directory object as string and not as BlobImpl, r=smaug This iteration took 281.947 seconds to run.
Comment 2 is likely wrong. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/134b9a7003b3 user: Jan de Mooij date: Fri Nov 06 09:37:39 2015 +0100 summary: Bug 683218 - Remove non-standard __noSuchMethod__ feature. r=efaust Jan, is bug 683218 a likely regressor?
Blocks: 683218
status-firefox47:
--- → affected
status-firefox-esr45:
--- → affected
Flags: needinfo?(jdemooij)
Comment 4•8 years ago
|
||
Same issue as bug 1262936, OOM in RegExpStack::reset.
No longer blocks: 683218
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Comment 5•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #0) > Marking s-s because it's a heap crash. Deref is at null, so we can unhide > the bug if it was confirmed that this is always a null deref. Yup.
Group: javascript-core-security
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•