Crash [@ js::CopyAndInflateChars] with OOM in newExternalString

RESOLVED FIXED in Firefox -esr52

Status

()

defect
--
critical
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 2 bugs, {crash, jsbugmon, testcase})

Trunk
mozilla55
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox52 wontfix, firefox-esr52 fixed, firefox53 fixed, firefox54 fixed, firefox55 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision 9732cd019a8b (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-stdcxx-compat --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

oomAfterAllocations(1);
newExternalString("a");



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000be99cc in js::CopyAndInflateChars (srclen=<optimized out>, src=<optimized out>, dst=0x0) at js/src/jsstr.h:301
#0  0x0000000000be99cc in js::CopyAndInflateChars (srclen=<optimized out>, src=<optimized out>, dst=0x0) at js/src/jsstr.h:301
#1  js::CopyChars<char16_t> (dest=dest@entry=0x0, str=...) at js/src/vm/String.cpp:359
#2  0x0000000000938e1e in JS_CopyStringChars (cx=cx@entry=0x7ffff6948000, dest=..., str=0x7ffff4600c60) at js/src/jsapi.cpp:5306
#3  0x0000000000855202 in NewExternalString (cx=0x7ffff6948000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/TestingFunctions.cpp:1279
#4  0x0000000000541420 in js::CallJSNative (cx=cx@entry=0x7ffff6948000, native=0x8550e0 <NewExternalString(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:282
[...]
#17 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:8436
rax	0x7ffff4600c68	140737293323368
rbx	0x0	0
rcx	0x61	97
rdx	0x0	0
rsi	0x0	0
rdi	0x7ffff4600c60	140737293323360
rbp	0x7fffffffca50	140737488341584
rsp	0x7fffffffca10	140737488341520
r8	0x0	0
r9	0x7ffff430f60b	140737290237451
r10	0x7ffff6950800	140737330350080
r11	0x7ffff6916060	140737330110560
r12	0x1	1
r13	0x7fffffffca10	140737488341520
r14	0x7ffff4600c60	140737293323360
r15	0x1	1
rip	0xbe99cc <js::CopyChars<char16_t>(char16_t*, JSLinearString const&)+764>
=> 0xbe99cc <js::CopyChars<char16_t>(char16_t*, JSLinearString const&)+764>:	mov    %cx,(%rbx,%rdx,2)
   0xbe99d0 <js::CopyChars<char16_t>(char16_t*, JSLinearString const&)+768>:	add    $0x1,%rdx
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1 is invalid (probably autoBisect got confused by the intermittence), newExternalString only got added a few months ago.

Setting Jan as a fallback for needinfo.
Flags: needinfo?(jdemooij)
Posted patch PatchSplinter Review
Missing OOM check in a testing function.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Flags: needinfo?(jdemooij)
Attachment #8846610 - Flags: review?(bbouvier)
Comment on attachment 8846610 [details] [diff] [review]
Patch

Review of attachment 8846610 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks!
Attachment #8846610 - Flags: review?(bbouvier) → review+
Pushed by jandemooij@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/bd44d77252aa
Fix OOM bug in newExternalString testing function. r=bbouvier
https://hg.mozilla.org/mozilla-central/rev/bd44d77252aa
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Whiteboard: [jsbugmon:update] → [jsbugmon:update][checkin-needed-aurora][checkin-needed-beta][checkin-needed-esr52][a=test-only]
https://hg.mozilla.org/releases/mozilla-esr52/rev/405bba2d38b1
Flags: in-testsuite+
Whiteboard: [jsbugmon:update][checkin-needed-aurora][checkin-needed-beta][checkin-needed-esr52][a=test-only] → [jsbugmon:update][checkin-needed-aurora][checkin-needed-beta]
https://hg.mozilla.org/releases/mozilla-beta/rev/6bd7ff837fdb
Whiteboard: [jsbugmon:update][checkin-needed-aurora][checkin-needed-beta] → [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.