Open Bug 1729525 Opened 3 years ago Updated 3 years ago

Crash [@ NS_ABORT_OOM]

Categories

(Core :: XSLT, defect, P3)

Product:
Core
Component:
XSLT
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Crash Data

Attachments

(1 file)

Testcase
2.75 KB, application/octet-stream
Details

Testcase found while fuzzing mozilla-central rev eac402936496 (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build eac402936496 --debug --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

[@ NS_ABORT_OOM]

    ==274240==WARNING: AddressSanitizer failed to allocate 0x20e00000 bytes
    =================================================================
    ==274240==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fccda612635 bp 0x7ffdcf08ae60 sp 0x7ffdcf08ae60 T0)
    ==274240==The signal is caused by a WRITE memory access.
    ==274240==Hint: address points to the zero page.
        #0 0x7fccda612635 in NS_ABORT_OOM(unsigned long) /xpcom/base/nsDebugImpl.cpp:618:3
        #1 0x7fcce20a6df5 in txMozillaXMLOutput::characters(nsTSubstring<char16_t> const&, bool) /dom/xslt/xslt/txMozillaXMLOutput.cpp:161:11
        #2 0x7fcce20995e5 in txValueOf::execute(txExecutionState&) /dom/xslt/xslt/txInstructions.cpp:781:34
        #3 0x7fcce20de1cb in txXSLTProcessor::execute(txExecutionState&) /dom/xslt/xslt/txXSLTProcessor.cpp:37:17
        #4 0x7fcce20b3839 in txMozillaXSLTProcessor::TransformToFragment(nsINode&, mozilla::dom::Document&, mozilla::ErrorResult&) /dom/xslt/xslt/txMozillaXSLTProcessor.cpp:630:10
        #5 0x7fccdf4e5aed in mozilla::dom::XSLTProcessor_Binding::transformToFragment(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XSLTProcessorBinding.cpp:145:83
        #6 0x7fccdfbb87cf in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3300:13
        #7 0x7fcc505143a1  (<unknown module>)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: SEGV /xpcom/base/nsDebugImpl.cpp:618:3 in NS_ABORT_OOM(unsigned long)
    ==274240==ABORTING
Attached file Testcase 

    
  
Component: DOM: Core & HTML → XSLT

    
    

    
      
  

    
  
Depends on: domino

    
  
Blocks: domino
No longer depends on: domino

    
    

    
  
Peter, can you assess severity for this?


Flags: needinfo?(peterv)
Severity: -- → S3
Flags: needinfo?(peterv)
Priority: -- → P3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: