Assertion failure: cx->runtime()->hadOutOfMemory, at /js/src/shell/js.cpp:5694
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox105 | --- | unaffected |
firefox106 | --- | unaffected |
firefox107 | --- | verified |
People
(Reporter: decoder, Assigned: arai)
References
(Regression)
Details
(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisected,confirmed][fuzzblocker])
Attachments
(3 files)
The following testcase crashes on mozilla-central revision 20220929-a2601693650d (debug build, run with --fuzzing-safe --ion-offthread-compile=off test.js):
syntaxParse(">")
Backtrace:
received signal SIGSEGV, Segmentation fault.
0x000055fedbd7a0aa in SyntaxParse(JSContext*, unsigned int, JS::Value*) ()
#0 0x000055fedbd7a0aa in SyntaxParse(JSContext*, unsigned int, JS::Value*) ()
#1 0x000055fedbeebfcd in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#12 0x000055fedbd43104 in main ()
rax 0x55fedaa22bf6 94553078115318
rbx 0x0 0
rcx 0x55fedd491a68 94553122609768
rdx 0x1 1
rsi 0x0 0
rdi 0x7f7e0dec57d0 140179376199632
rbp 0x7ffd8c781b30 140726960134960
rsp 0x7ffd8c780fa0 140726960132000
r8 0x0 0
r9 0x6d 109
r10 0xfffffffffffffe1e -482
r11 0x7f7e0dd59340 140179374707520
r12 0x55fedd3fbc70 94553121995888
r13 0x7f7e0ce2ae00 140179358789120
r14 0x1 1
r15 0x7f7e0bca60a0 140179340419232
rip 0x55fedbd7a0aa <SyntaxParse(JSContext*, unsigned int, JS::Value*)+2682>
=> 0x55fedbd7a0aa <_ZL11SyntaxParseP9JSContextjPN2JS5ValueE+2682>: movl $0x163e,0x0
0x55fedbd7a0b5 <_ZL11SyntaxParseP9JSContextjPN2JS5ValueE+2693>: callq 0x55fedbdd93a0 <abort>
Fuzzblocker due to the simplicity of the test.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Comment 2•2 years ago
|
||
Comment 3•2 years ago
|
||
Regression from AutoReportFrontendContext
added in bug 1786494.
Comment 4•2 years ago
|
||
Set release status flags based on info from the regressing bug 1786494
:arai, since you are the author of the regressor, bug 1786494, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Comment 5•2 years ago
|
||
Comment 6•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220930093536-8d15b6719c22.
The bug appears to have been introduced in the following build range:
Start: 50157da10bda15d65de462d77d9e0b0538bf54cb (20220928073715)
End: 0ac06d10a688469f9dee764c08fd1f3b18240544 (20220928074337)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=50157da10bda15d65de462d77d9e0b0538bf54cb&tochange=0ac06d10a688469f9dee764c08fd1f3b18240544
Updated•2 years ago
|
Comment 8•2 years ago
|
||
bugherder |
Comment 9•2 years ago
|
||
Bugmon Analysis
Verified bug as fixed on rev mozilla-central 20221005094233-c14f7934269f.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Assignee | ||
Updated•2 years ago
|
Description
•