Closed
Bug 1264612
Opened 8 years ago
Closed 8 years ago
Crash [@ ??] with RegExp and OOM
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1262936
People
(Reporter: decoder, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase, Whiteboard: [jsbugmon:])
Crash Data
The following testcase crashes on mozilla-central revision fb921246e2d6 (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --thread-count=2 --ion-eager):
var lfLogBuffer = `
s = "x";
for (i = 0; i != 13; i++) s += s;
b = /(x)*/.exec(s);
`.split('\n');
lfCodeBuffer = ""
while (true) {
line = lfLogBuffer.shift()
if (line == null) {
break
}
lfCodeBuffer += line + "\n"
}
loadFile(lfCodeBuffer)
function loadFile(lfVarx) {
oomTest(function() {
eval(lfVarx)
})
}
Backtrace:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7f9db2f in ?? ()
#0 0x00007ffff7f9db2f in ?? ()
#1 0x00007ffff4744000 in ?? ()
#2 0x0000000000000000 in ?? ()
rax 0x7ffff4746000 140737294655488
rbx 0x0 0
rcx 0xa 10
rdx 0xffffffffffffe000 -8192
rsi 0x0 0
rdi 0x7fffffff9790 140737488328592
rbp 0x7ffff7f9dcba 140737353735354
rsp 0x7fffffff9708 140737488328456
r8 0x7ffff4746000 140737294655488
r9 0x7fffffff9a70 140737488329328
r10 0xfffffffffffff000 -4096
r11 0x7ffff695c208 140737330397704
r12 0x7ffff698c6d0 140737330595536
r13 0x7fffffff99e0 140737488329184
r14 0x7ffff6908800 140737330055168
r15 0x7fffffff9890 140737488328848
rip 0x7ffff7f9db2f 140737353734959
=> 0x7ffff7f9db2f: mov %rbp,(%rbx)
0x7ffff7f9db32: add $0x8,%rbx
Marking s-s because it's a heap crash. Deref is at null, so we can unhide the bug if it was confirmed that this is always a null deref.
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
|
|
||
Comment 1•8 years ago
|
||
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
|
|
||
Updated•8 years ago
|
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
|
|
||
Comment 2•8 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/ac58a56021ac user: Andrea Marchesini date: Sat Mar 19 14:32:18 2016 +0100 summary: Bug 1173320 - patch 1/8 - Implement Directory object as string and not as BlobImpl, r=smaug This iteration took 281.947 seconds to run.
Comment 2 is likely wrong. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/134b9a7003b3 user: Jan de Mooij date: Fri Nov 06 09:37:39 2015 +0100 summary: Bug 683218 - Remove non-standard __noSuchMethod__ feature. r=efaust Jan, is bug 683218 a likely regressor?
Blocks: 683218
status-firefox47:
--- → affected
status-firefox-esr45:
--- → affected
Flags: needinfo?(jdemooij)
|
||
Comment 4•8 years ago
|
||
Same issue as bug 1262936, OOM in RegExpStack::reset.
No longer blocks: 683218
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
|
|
||
Comment 5•8 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #0) > Marking s-s because it's a heap crash. Deref is at null, so we can unhide > the bug if it was confirmed that this is always a null deref. Yup.
Group: javascript-core-security
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•