Open Bug 1777569 Opened 2 years ago Updated 2 years ago

AddressSanitizer failed to allocate 0x200002000 (8589942784) bytes of LargeMmapAllocator (error code: 1455) [@ __asan::CheckUnwind]

Categories

(Core :: Web Audio, defect, P3)

Product:
Core
Component:
Web Audio
Platform:
x86_64
Windows
Type:
defect

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: testcase, Whiteboard: [bugmon:confirm])

Attachments

(1 file)

Testcase
307 bytes, text/plain
Details

Testcase found while fuzzing mozilla-central rev 65e579f52525 (built with: --enable-address-sanitizer --enable-fuzzing).

This testcase consistently crashes ASan builds on Windows. On an opt build, the testcase does not appear to cause any significant increase in memory usage.

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 65e579f52525 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer failed to allocate 0x200002000 (8589942784) bytes of LargeMmapAllocator (error code: 1455) [@ __asan::CheckUnwind]

    ==4664==ERROR: AddressSanitizer failed to allocate 0x200002000 (8589942784) bytes of LargeMmapAllocator (error code: 1455)
    ==4664==Dumping process modules:
    	0x128afb3c0000-0x128afb45d000 C:\Windows\System32\msvcp_win.dll
    	0x7ff653380000-0x7ff6534fe000 C:\builds\mc-asan\firefox.exe
    	0x7ffeda070000-0x7ffeda5e5000 C:\builds\mc-asan\mozavcodec.dll
    	0x7ffeda5f0000-0x7ffeda68e000 C:\builds\mc-asan\mozavutil.dll
    	0x7ffedbaf0000-0x7ffef3112000 C:\builds\mc-asan\xul.dll
    	0x7ffef3120000-0x7ffef38a5000 C:\builds\mc-asan\nss3.dll
    	0x7ffef38b0000-0x7ffef4307000 C:\builds\mc-asan\clang_rt.asan_dynamic-x86_64.dll
    	0x7ffef9400000-0x7ffef959e000 C:\builds\mc-asan\freebl3.dll
    	0x7ffef95a0000-0x7ffef9669000 C:\builds\mc-asan\softokn3.dll
    	0x7ffef9690000-0x7ffef98b4000 C:\builds\mc-asan\mozglue.dll
    	0x7fff00110000-0x7fff00129000 C:\builds\mc-asan\lgpllibs.dll
    	0x7fff00130000-0x7fff001be000 C:\Windows\SYSTEM32\MSVCP140.dll
    	0x7fff059e0000-0x7fff059fb000 C:\Windows\SYSTEM32\VCRUNTIME140.dll
    	0x7fff0a380000-0x7fff0a389000 C:\Windows\SYSTEM32\WSOCK32.dll
    	0x7fff0ae30000-0x7fff0ae3c000 C:\Windows\SYSTEM32\VCRUNTIME140_1.dll
    	0x7fff0ccc0000-0x7fff0cce7000 C:\Windows\SYSTEM32\WINMM.dll
    	0x7fff194c0000-0x7fff1973f000 C:\Windows\system32\dwrite.dll
    	0x7fff1dc80000-0x7fff1dd01000 C:\Windows\system32\webauthn.dll
    	0x7fff1f680000-0x7fff1f68a000 C:\Windows\SYSTEM32\VERSION.dll
    	0x7fff21ec0000-0x7fff21eca000 C:\Windows\SYSTEM32\AVRT.dll
    	0x7fff22190000-0x7fff22286000 C:\Windows\SYSTEM32\PROPSYS.dll
    	0x7fff23f80000-0x7fff2401e000 C:\Windows\system32\uxtheme.dll
    	0x7fff244e0000-0x7fff244f2000 C:\Windows\SYSTEM32\kernel.appcore.dll
    	0x7fff252e0000-0x7fff25313000 C:\Windows\SYSTEM32\ntmarta.dll
    	0x7fff25ec0000-0x7fff25ecc000 C:\Windows\SYSTEM32\cryptbase.dll
    	0x7fff26160000-0x7fff26172000 C:\Windows\SYSTEM32\MSASN1.dll
    	0x7fff26320000-0x7fff2634c000 C:\Windows\SYSTEM32\DEVOBJ.dll
    	0x7fff265e0000-0x7fff268ad000 C:\Windows\System32\KERNELBASE.dll
    	0x7fff268b0000-0x7fff269bb000 C:\Windows\System32\gdi32full.dll
    	0x7fff269c0000-0x7fff269e7000 C:\Windows\System32\bcrypt.dll
    	0x7fff269f0000-0x7fff26a58000 C:\Windows\System32\WINTRUST.dll
    	0x7fff26a60000-0x7fff26b60000 C:\Windows\System32\ucrtbase.dll
    	0x7fff26c00000-0x7fff26c4e000 C:\Windows\System32\cfgmgr32.dll
    	0x7fff26c50000-0x7fff26da6000 C:\Windows\System32\CRYPT32.dll
    	0x7fff26db0000-0x7fff26dd2000 C:\Windows\System32\win32u.dll
    	0x7fff26de0000-0x7fff26e62000 C:\Windows\System32\bcryptprimitives.dll
    	0x7fff26f20000-0x7fff27045000 C:\Windows\System32\RPCRT4.dll
    	0x7fff270b0000-0x7fff271da000 C:\Windows\System32\ole32.dll
    	0x7fff27390000-0x7fff2742c000 C:\Windows\System32\sechost.dll
    	0x7fff274c0000-0x7fff2755e000 C:\Windows\System32\msvcrt.dll
    	0x7fff277d0000-0x7fff27c41000 C:\Windows\System32\SETUPAPI.dll
    	0x7fff27de0000-0x7fff27e4b000 C:\Windows\System32\WS2_32.dll
    	0x7fff27e50000-0x7fff281a4000 C:\Windows\System32\combase.dll
    	0x7fff281b0000-0x7fff2826d000 C:\Windows\System32\KERNEL32.DLL
    	0x7fff28270000-0x7fff28410000 C:\Windows\System32\user32.dll
    	0x7fff28410000-0x7fff28440000 C:\Windows\System32\IMM32.DLL
    	0x7fff28b90000-0x7fff28c5d000 C:\Windows\System32\OLEAUT32.dll
    	0x7fff28ce0000-0x7fff28d8e000 C:\Windows\System32\ADVAPI32.dll
    	0x7fff28da0000-0x7fff28dca000 C:\Windows\System32\GDI32.dll
    	0x7fff28ed0000-0x7fff290c5000 C:\Windows\SYSTEM32\ntdll.dll
    AddressSanitizer: CHECK failed: sanitizer_common.cpp:53 "((0 && "unable to mmap")) != (0)" (0x0, 0x0) (tid=8344)
        #0 0x7ffef38f6fe7 in __asan::CheckUnwind /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_rtl.cpp:67
        #1 0x7ffef38c5635 in __sanitizer::CheckFailed(char const *, int, char const *, unsigned __int64, unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_termination.cpp:86
        #2 0x7ffef38b4bae in __sanitizer::ReportMmapFailureAndDie(unsigned __int64, char const *, char const *, unsigned int, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_common.cpp:53
        #3 0x7ffef38c24ab in __sanitizer::ReturnNullptrOnOOMOrDie /builds/worker/fetches/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp:162
        #4 0x7ffef38c24ab in __sanitizer::MmapOrDieOnFatalError(unsigned __int64, char const *) /builds/worker/fetches/llvm-project/compiler-rt/lib/sanitizer_common/sanitizer_win.cpp:170
        #5 0x7ffef38db039 in __sanitizer::LargeMmapAllocator<struct __asan::AsanMapUnmapCallback, class __sanitizer::LargeMmapAllocatorPtrArrayDynamic, struct __sanitizer::LocalAddressSpaceView>::Allocate(class __sanitizer::AllocatorStats *, unsigned __int64, unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_secondary.h:97
        #6 0x7ffef38dae33 in __sanitizer::CombinedAllocator<class __sanitizer::SizeClassAllocator64<struct __asan::AP64<struct __sanitizer::LocalAddressSpaceView>>, class __sanitizer::LargeMmapAllocatorPtrArrayDynamic>::Allocate(struct __sanitizer::SizeClassAllocator64LocalCache<class __sanitizer::SizeClassAllocator64<struct __asan::AP64<struct __sanitizer::LocalAddressSpaceView>>> *, unsigned __int64, unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_allocator_combined.h:71
        #7 0x7ffef38d6645 in __asan::Allocator::Allocate(unsigned __int64, unsigned __int64, struct __sanitizer::BufferedStackTrace *, enum __asan::AllocType, bool) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:526
        #8 0x7ffef38d6bb7 in __asan::Allocator::Calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:739
        #9 0x7ffef38d6bb7 in __asan::asan_calloc(unsigned __int64, unsigned __int64, struct __sanitizer::BufferedStackTrace *) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_allocator.cpp:957
        #10 0x7ffef38ee14a in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:115
        #11 0x7ffeeab9be89 in js_arena_calloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:383
        #12 0x7ffeeab9be89 in js_pod_arena_calloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:590
        #13 0x7ffeeab9be89 in js::MallocProvider<JSContext>::maybe_pod_arena_calloc /js/src/vm/MallocProvider.h:66
        #14 0x7ffeeab9be89 in AllocateArrayBufferContents /js/src/vm/ArrayBufferObject.cpp:459
        #15 0x7ffeeab9be89 in js::ArrayBufferObject::createBufferAndData<0>(struct JSContext *, unsigned __int64, class js::AutoSetNewObjectMetadata &, class JS::Handle<class JSObject *>) /js/src/vm/ArrayBufferObject.cpp:1348
        #16 0x7ffeeab94149 in js::ArrayBufferObject::createZeroed(struct JSContext *, unsigned __int64, class JS::Handle<class JSObject *>) /js/src/vm/ArrayBufferObject.cpp:1412
        #17 0x7ffeeb138446 in `anonymous namespace'::TypedArrayObjectTemplate<float>::maybeCreateArrayBuffer /js/src/vm/TypedArrayObject.cpp:902
        #18 0x7ffeeb138446 in `anonymous namespace'::TypedArrayObjectTemplate<float>::fromLength /js/src/vm/TypedArrayObject.cpp:923
        #19 0x7ffeeb138446 in JS_NewFloat32Array(struct JSContext *, unsigned __int64) /js/src/vm/TypedArrayObject.cpp:3057
        #20 0x7ffee3e796c9 in mozilla::dom::AudioBuffer::RestoreJSChannelData(struct JSContext *) /dom/media/webaudio/AudioBuffer.cpp:294
        #21 0x7ffee3e7d62d in mozilla::dom::AudioBuffer::GetChannelData(struct JSContext *, unsigned int, class JS::MutableHandle<class JSObject *>, class mozilla::ErrorResult &) /dom/media/webaudio/AudioBuffer.cpp:402
        #22 0x7ffedfe0cd92 in mozilla::dom::AudioBuffer_Binding::getChannelData /builds/worker/workspace/obj-build/dom/bindings/AudioBufferBinding.cpp:339
        #23 0x7ffee21cca26 in mozilla::dom::binding_detail::GenericMethod<struct mozilla::dom::binding_detail::NormalThisPolicy, struct mozilla::dom::binding_detail::ThrowExceptions>(struct JSContext *, unsigned int, class JS::Value *) /dom/bindings/BindingUtils.cpp:3285
        #24 0x7ffeec7f18d8 in CallJSNative /js/src/vm/Interpreter.cpp:422
        #25 0x7ffeec7f18d8 in js::InternalCallOrConstruct(struct JSContext *, class JS::CallArgs const &, enum js::MaybeConstruct, enum js::CallReason) /js/src/vm/Interpreter.cpp:508
        #26 0x7ffeec7daf96 in InternalCall /js/src/vm/Interpreter.cpp:575
        #27 0x7ffeec7daf96 in js::CallFromStack /js/src/vm/Interpreter.cpp:579
        #28 0x7ffeec7daf96 in Interpret /js/src/vm/Interpreter.cpp:3325
        #29 0x7ffeec7c6123 in js::RunScript(struct JSContext *, class js::RunState &) /js/src/vm/Interpreter.cpp:390
        #30 0x7ffeec7f1b44 in js::InternalCallOrConstruct(struct JSContext *, class JS::CallArgs const &, enum js::MaybeConstruct, enum js::CallReason) /js/src/vm/Interpreter.cpp:540
        #31 0x7ffeec7f4661 in InternalCall /js/src/vm/Interpreter.cpp:575
        #32 0x7ffeec7f4661 in js::Call(struct JSContext *, class JS::Handle<class JS::Value>, class JS::Handle<class JS::Value>, class js::AnyInvokeArgs const &, class JS::MutableHandle<class JS::Value>, enum js::CallReason) /js/src/vm/Interpreter.cpp:606
        #33 0x7ffeeabef5cd in JS::Call(struct JSContext *, class JS::Handle<class JS::Value>, class JS::Handle<class JS::Value>, class JS::HandleValueArray const &, class JS::MutableHandle<class JS::Value>) /js/src/vm/CallAndConstruct.cpp:117
        #34 0x7ffee1be5065 in mozilla::dom::EventListener::HandleEvent(class mozilla::dom::BindingCallContext &, class JS::Handle<class JS::Value>, class mozilla::dom::Event &, class mozilla::ErrorResult &) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62
        #35 0x7ffee2d7442f in mozilla::dom::EventListener::HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65
        #36 0x7ffee2d7442f in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *, class mozilla::dom::Event *, class mozilla::dom::EventTarget *) /dom/events/EventListenerManager.cpp:1310
        #37 0x7ffee2d76670 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *, class mozilla::WidgetEvent *, class mozilla::dom::Event **, class mozilla::dom::EventTarget *, enum nsEventStatus *, bool) /dom/events/EventListenerManager.cpp:1505
        #38 0x7ffee2d5bcf4 in mozilla::EventListenerManager::HandleEvent /dom/events/EventListenerManager.h:395
        #39 0x7ffee2d5bcf4 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &, class mozilla::ELMCreationDetector &) /dom/events/EventDispatcher.cpp:348
        #40 0x7ffee2d59e7d in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &, class mozilla::EventChainPostVisitor &, class mozilla::EventDispatchingCallback *, class mozilla::ELMCreationDetector &) /dom/events/EventDispatcher.cpp:550
        #41 0x7ffee2d605d9 in mozilla::EventDispatcher::Dispatch(class nsISupports *, class nsPresContext *, class mozilla::WidgetEvent *, class mozilla::dom::Event *, enum nsEventStatus *, class mozilla::EventDispatchingCallback *, class nsTArray<class mozilla::dom::EventTarget *> *) /dom/events/EventDispatcher.cpp:1119
        #42 0x7ffee68008be in nsDocumentViewer::LoadComplete(enum nsresult) /layout/base/nsDocumentViewer.cpp:1083
        #43 0x7ffee990181d in nsDocShell::EndPageLoad(class nsIWebProgress *, class nsIChannel *, enum nsresult) /docshell/base/nsDocShell.cpp:6426
        #44 0x7ffee9900763 in nsDocShell::OnStateChange(class nsIWebProgress *, class nsIRequest *, unsigned int, enum nsresult) /docshell/base/nsDocShell.cpp:5818
        #45 0x7ffede28131a in nsDocLoader::DoFireOnStateChange(class nsIWebProgress *const, class nsIRequest *const, int &, enum nsresult) /uriloader/base/nsDocLoader.cpp:1377
        #46 0x7ffede27f786 in nsDocLoader::doStopDocumentLoad(class nsIRequest *, enum nsresult) /uriloader/base/nsDocLoader.cpp:975
        #47 0x7ffede27ac4a in nsDocLoader::DocLoaderIsEmpty(bool, class mozilla::Maybe<enum nsresult> const &) /uriloader/base/nsDocLoader.cpp:794
        #48 0x7ffede27d97d in nsDocLoader::OnStopRequest(class nsIRequest *, enum nsresult) /uriloader/base/nsDocLoader.cpp:677
        #49 0x7ffee9949fe2 in nsDocShell::OnStopRequest(class nsIRequest *, enum nsresult) /docshell/base/nsDocShell.cpp:13825
        #50 0x7ffedcb12846 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(class nsIRequest *, enum nsresult) /netwerk/base/nsLoadGroup.cpp:614
        #51 0x7ffedcb156a1 in mozilla::net::nsLoadGroup::RemoveRequest(class nsIRequest *, class nsISupports *, enum nsresult) /netwerk/base/nsLoadGroup.cpp:518
        #52 0x7ffedf8cc536 in mozilla::dom::Document::DoUnblockOnload /dom/base/Document.cpp:11660
        #53 0x7ffedf8cc536 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11599
        #54 0x7ffedf900800 in mozilla::dom::Document::DispatchContentLoadedEvents(void) /dom/base/Document.cpp:8134
        #55 0x7ffedc510fba in mozilla::detail::RunnableMethodArguments<>::applyImpl /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147
        #56 0x7ffedc510fba in mozilla::detail::RunnableMethodArguments<>::apply /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153
        #57 0x7ffedc510fba in mozilla::detail::RunnableMethodImpl<class nsCOMPtr<class mozilla::dom::SVGSVGElement>, void (__cdecl mozilla::dom::SVGSVGElement::*)(void), 1, 0>::Run(void) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
        #58 0x7ffedc6ae9c6 in mozilla::SchedulerGroup::Runnable::Run(void) /xpcom/threads/SchedulerGroup.cpp:140
        #59 0x7ffedc718bdd in mozilla::RunnableTask::Run(void) /xpcom/threads/TaskController.cpp:538
        #60 0x7ffedc6c7532 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /xpcom/threads/TaskController.cpp:851
        #61 0x7ffedc6c393c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /xpcom/threads/TaskController.cpp:683
        #62 0x7ffedc6c431e in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461
        #63 0x7ffedc721871 in mozilla::TaskController::InitializeInternal::<lambda_1>::operator() /xpcom/threads/TaskController.cpp:187
        #64 0x7ffedc721871 in mozilla::detail::RunnableFunction<`lambda at /xpcom/threads/TaskController.cpp:187:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531
        #65 0x7ffedc6f3dd5 in nsThread::ProcessNextEvent(bool, bool *) /xpcom/threads/nsThread.cpp:1205
        #66 0x7ffedc7030cc in NS_ProcessNextEvent(class nsIThread *, bool) /xpcom/threads/nsThreadUtils.cpp:465
        #67 0x7ffeddd3dab7 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /ipc/glue/MessagePump.cpp:85
        #68 0x7ffeddc539d5 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:380
        #69 0x7ffeddc539d5 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:373
        #70 0x7ffeddc537a5 in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:355
        #71 0x7ffee5dd03ba in nsBaseAppShell::Run(void) /widget/nsBaseAppShell.cpp:150
        #72 0x7ffee5fbcf2a in nsAppShell::Run(void) /widget/windows/nsAppShell.cpp:613
        #73 0x7ffeea74b2a4 in XRE_RunAppShell(void) /toolkit/xre/nsEmbedFunctions.cpp:875
        #74 0x7ffeddc539d5 in MessageLoop::RunInternal /ipc/chromium/src/base/message_loop.cc:380
        #75 0x7ffeddc539d5 in MessageLoop::RunHandler(void) /ipc/chromium/src/base/message_loop.cc:373
        #76 0x7ffeddc537a5 in MessageLoop::Run(void) /ipc/chromium/src/base/message_loop.cc:355
        #77 0x7ffeea74a605 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /toolkit/xre/nsEmbedFunctions.cpp:734
        #78 0x7ff653382578 in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:58
        #79 0x7ff653382578 in NS_internal_main(int, char **, char **) /browser/app/nsBrowserApp.cpp:338
        #80 0x7ff6533817bf in wmain /toolkit/xre/nsWindowsWMain.cpp:167
        #81 0x7ff65347df27 in invoke_main d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
        #82 0x7ff65347df27 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
        #83 0x7fff281c7033  (C:\Windows\System32\KERNEL32.DLL+0x180017033)
        #84 0x7fff28f22650  (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)
Attached file Testcase 

    
    

    
  
Please note that this bug is triggering very frequently.  I'm going to mark it as a (fuzzblocker)[https://firefox-source-docs.mozilla.org/tools/fuzzing/index.html#fuzz-blockers].  Please prioritize it accordingly.


Whiteboard: [bugmon:confirm] → [bugmon:confirm][fuzzblocker]

    
    

    
  
I expect JS_NewFloat32Array to return a null pointer in case of OOM, and that's not happening here. Besides, we haven't changed anything in Web Audio in ages.


The web audio code essentially allocates 32 arrays of (2^32) + 1 bytes each, which isn't going to work anyways.


Should I allocate the arrays manually with a fallible allocator and pass them to the JS_NewFloat32Array function instead?


The call site for this is here: https://searchfox.org/mozilla-central/source/dom/media/webaudio/AudioBuffer.cpp#295.



    
    

    
  
Jason, as it was pointed out to me on chat.m.o, this seem to be crashing the the asan allocator, maybe something is off there?


Flags: needinfo?(jkratzer)

    
    

    
  
Paul, I can look into if it's an issue with the asan allocator.  On our side, is there anything Windows specific here that would only cause us to OOM in Windows and not Linux?



    
    

    
  
Nothing comes to mind on that.


If this is really blocking, I can probably tweak our Web Audio API code to side-step what we're seeing here, but I'm afraid I'm a bit busy at the moment.


Flags: needinfo?(jkratzer)

    
  
Keywords: bugmon

    
    

    
  
From the code I found on a google search it seems like asan expects to get ERROR_NOT_ENOUGH_MEMORY on OOM but is seeing something else. It would be interesting to see what error code is being produced.



    
    

    
  
The error here is: ERROR_COMMITMENT_LIMIT (The paging file is too small for this operation to complete). ASAN_OPTIONS=allocator_may_return_null=true is set but we still see a crash on Windows.


See Also:  → 1769798

    
    

    
  
:truber filed https://github.com/google/sanitizers/issues/1547 regarding this.



    
    

    
  
ArrayBuffers > 2GB have been around since April 2021.

Is Windows (for ASAN) the thing that is new here?


Flipping "javascript.options.large_arraybuffers" may be a temporary workaround for this particular crash.


See Also:  → 1392234
See Also:  → 1779748

    
    

    
      
  

    
    

    
  
The severity field is not set for this bug.

:padenot, could you have a look please?


For more information, please visit auto_nag documentation.


Flags: needinfo?(padenot)
Severity: -- → S3
Flags: needinfo?(padenot)
Priority: -- → P3

    
    

    
  
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).

:padenot, could you increase the severity?


For more information, please visit auto_nag documentation.


Flags: needinfo?(padenot)

    
    

    
  
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).

:padenot, could you increase the severity?


For more information, please visit auto_nag documentation.


Flags: needinfo?(padenot)

    
    

    
  
With bug 1769798 closed this is no longer a fuzzblocker.


Flags: needinfo?(padenot)
Whiteboard: [bugmon:confirm][fuzzblocker] → [bugmon:confirm]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: