Closed Bug 1640475 Opened 5 years ago Closed 5 years ago

Missing OOM handling after js_malloc in RegExpShared::initializeNamedCaptures

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla78

Tracking Flags:

Tracking

Status

firefox78

---

fixed

People

(Reporter: anba, Assigned: iain)

References

Details

Attachments

(1 file)

Bug 1640475: Report OOM in initializeNamedCaptures r=mgaudet 5 years ago Iain Ireland [:iain] 47 bytes, text/x-phabricator-request		Details \| Review

André Bargull [:anba]

Reporter

Description

•

5 years ago

Test case:

var i = 0;
oomTest(function() {
    for (var j = 0; j < 10; ++j) {
        var r = RegExp(`(?<_${(i++).toString(32)}>a)`);
        r.exec("a");
    }
});

Asserts with:

Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?)

Reason:
OOM after js_malloc not handled in RegExpShared::initializeNamedCaptures.

Steven DeTar [:sdetar]

Comment 1

•

5 years ago

Iain, could you look at this bug

Severity: -- → S3

Flags: needinfo?(iireland)

Priority: -- → P2

Iain Ireland [:iain]

Assignee

Comment 2

•

5 years ago

Attached file Bug 1640475: Report OOM in initializeNamedCaptures r=mgaudet — Details

Phabricator Automation

Updated

•

5 years ago

Assignee: nobody → iireland

Status: NEW → ASSIGNED

Iain Ireland [:iain]

Assignee

Updated

•

5 years ago

Flags: needinfo?(iireland)

Pulsebot

Comment 3

•

5 years ago

Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b4c531b04559 Report OOM in initializeNamedCaptures r=mgaudet

Razvan Maries

Comment 4

•

5 years ago

Backed out for SM bustages on bug1640475.js.

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=autoland&selectedTaskRun=OdLRGZL9STOjafUT6j462g-0&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception&searchStr=linux%2Cx64%2Copt%2Cspidermonkey%2Cbuilds%2Cspidermonkey-sm-fuzzing-linux64%2Fopt%2Csm%28f%29&revision=b4c531b04559f2a59ef43d2f16c7549be01e154d

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=303987999&repo=autoland&lineNumber=14488

Backout: https://hg.mozilla.org/integration/autoland/rev/ca57ba90ff1ab5c8ca519bdeef486f4f65fdecd7

Flags: needinfo?(iireland)

Iain Ireland [:iain]

Assignee

Comment 5

•

5 years ago

Forgot to make the testcase conditional on oomTest being defined.

Flags: needinfo?(iireland)

Pulsebot

Comment 6

•

5 years ago

Pushed by iireland@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/08de9180d90c Report OOM in initializeNamedCaptures r=mgaudet

Razvan Maries

Comment 7

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/08de9180d90c

Status: ASSIGNED → RESOLVED

Closed: 5 years ago

status-firefox78: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla78

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Missing OOM handling after js_malloc in RegExpShared::initializeNamedCaptures

Categories

(Core :: JavaScript Engine, defect, P2)

Tracking

()

People

(Reporter: anba, Assigned: iain)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Updated

Updated

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Attachment

General

Description

File Name

Content Type