Closed Bug 1652148 Opened 4 years ago Closed 4 years ago

Crash [@ js::NewbornArrayPush] with OOM

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox78 --- wontfix
firefox79 --- wontfix
firefox80 --- fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(Keywords: crash, regression, testcase, Whiteboard: [bugmon:update,bisect,confirmed])

Crash Data

Attachments

(2 files)

Testcase
138 bytes, text/plain
Details
Bug 1652148: Handle allocation failure in AggregateError constructor. r=jorendorff!
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 20200710-01da3a7fa07c (debug build, run with --fuzzing-safe --ion-offthread-compile=off):

oomTest(() => {
    const g = newGlobal();
    let errors = new g.AggregateError([{}]).errors;
    [-true, 0, 1, ({}.i++), 32].sort();
});

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555555988ab4 in js::NewbornArrayPush(JSContext*, JS::Handle<JSObject*>, JS::Value const&) ()
#0  0x0000555555988ab4 in js::NewbornArrayPush(JSContext*, JS::Handle<JSObject*>, JS::Value const&) ()
#1  0x0000555555b4b9f1 in AggregateError(JSContext*, unsigned int, JS::Value*) ()
#2  0x000023e2d85424f2 in ?? ()
[...]
#25 0x0000000000000000 in ?? ()
rax	0x84b3a301	2226365185
rbx	0x7fffffffb0c0	140737488335040
rcx	0x98de32ddc565f00	688456104167235328
rdx	0x7fffffffb0c0	140737488335040
rsi	0x7fffffffb0e0	140737488335072
rdi	0x0	0
rbp	0x7fffffffb020	140737488334880
rsp	0x7fffffffaff0	140737488334832
r8	0x7fffffffb001	140737488334849
r9	0x7fffffffb0c0	140737488335040
r10	0xffffd55557151408	-46912466775032
r11	0x7b284bfffff	8463312748543
r12	0x7ffff6027000	140737320742912
r13	0x7ffff6027018	140737320742936
r14	0x7fffffffb0f0	140737488335088
r15	0x7ffff6027000	140737320742912
rip	0x555555988ab4 <js::NewbornArrayPush(JSContext*, JS::Handle<JSObject*>, JS::Value const&)+20>
=> 0x555555988ab4 <_ZN2js16NewbornArrayPushEP9JSContextN2JS6HandleIP8JSObjectEERKNS2_5ValueE+20>:	mov    (%rdi),%rax
   0x555555988ab7 <_ZN2js16NewbornArrayPushEP9JSContextN2JS6HandleIP8JSObjectEERKNS2_5ValueE+23>:	test   $0x7,%al
Attached file Testcase 
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Keywords: bugmon
Whiteboard: [bugmon:update,bisect] → [bugmon:update,bisect,confirmed]

    
    

    
  
Bugmon Analysis:
Unable to reproduce bug using the following builds:
> mozilla-central 20200713095122-2c8bc998c107
> mozilla-central 20200710094819-01da3a7fa07c
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.
Severity: -- → S3
Priority: -- → P1

    
    

    
  
Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a663ba808b66
Handle allocation failure in AggregateError constructor. r=jorendorff

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/a663ba808b66


Status: ASSIGNED → RESOLVED
Closed: 4 years ago

          status-firefox80:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80

    
  
Has Regression Range: --- → yes

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: