Assertion failure: isThrowingOutOfMemory(), at vm/JSContext.cpp:968
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | unaffected |
firefox103 | --- | unaffected |
firefox104 | --- | unaffected |
firefox105 | --- | verified |
People
(Reporter: decoder, Assigned: mohamedatef1698)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220811-7169b8faa7e1 (debug build, run with --fuzzing-safe --no-threads):
v2 = new Uint32Array(65537);
v4 = Object.getOwnPropertyNames(v2);
do {} while (v4 < 10n);
Backtrace:
received signal SIGSEGV, Segmentation fault.
#0 0x0000555556f14e46 in JSContext::alreadyReportedOOM() ()
#1 0x0000555556e31510 in js::StringToBigInt(JSContext*, JS::Handle<JSString*>) ()
#2 0x0000555556e32ba6 in JS::BigInt::lessThan(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, mozilla::Maybe<bool>&) ()
#3 0x0000555556d57333 in LessThanImpl(JSContext*, JS::MutableHandle<JS::Value>, JS::MutableHandle<JS::Value>, mozilla::Maybe<bool>&) ()
#4 0x0000555556d2bc6c in Interpret(JSContext*, js::RunState&) ()
[...]
#13 0x0000555556b93ab4 in main ()
rax 0x55555574f6bd 93824994309821
rbx 0x7ffff602a100 140737320755456
rcx 0x5555582b3190 93825039806864
rdx 0x0 0
rsi 0x7ffff7105770 140737338431344
rdi 0x7ffff7104540 140737338426688
rbp 0x7fffffffbfa0 140737488338848
rsp 0x7fffffffbf90 140737488338832
r8 0x7ffff7105770 140737338431344
r9 0x7ffff7f99840 140737353717824
r10 0x0 0
r11 0x0 0
r12 0x7ffff5e0c098 140737318535320
r13 0x7ffff5e0c090 140737318535312
r14 0x7fffffffc018 140737488338968
r15 0x7ffff602a100 140737320755456
rip 0x555556f14e46 <JSContext::alreadyReportedOOM()+182>
=> 0x555556f14e46 <_ZN9JSContext18alreadyReportedOOMEv+182>: movl $0x3c8,0x0
0x555556f14e51 <_ZN9JSContext18alreadyReportedOOMEv+193>: callq 0x555556c2a1b4 <abort>
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Set release status flags based on info from the regressing bug 1746713
Comment 4•2 years ago
|
||
:mohamedatef1698, since you are the author of the regressor, bug 1746713, could you take a look?
For more information, please visit auto_nag documentation.
Comment 5•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220812154154-66e3220110ba.
The bug appears to have been introduced in the following build range:
Start: 9fee436165d47605743596ac776654acedf1b757 (20220810213450)
End: 30d55bfc9346d72490b626d486b012a172f582a4 (20220810214808)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=9fee436165d47605743596ac776654acedf1b757&tochange=30d55bfc9346d72490b626d486b012a172f582a4
Assignee | ||
Comment 6•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/e5c661eb211d Support generic error in js::StringToBigInt. r=arai
Comment 8•2 years ago
|
||
bugherder |
Comment 9•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20220813214044-f3931b6a6402.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•