Closed Bug 624645 Opened 15 years ago Closed 15 years ago

OOM crash [@ operator new | js::InitJIT | JSCompartment::init]

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: n.nethercote)

References

Details

(Keywords: crash, regression, Whiteboard: softblocker)

Crash Data

Attachments

(1 file)

stack trace
1.61 KB, text/plain
Details
Attached file stack trace
I've heard that OOM is not supposed to crash in the JS engine. This OOM crash looks like an old bug in js::InitJIT, exposed by making JSCompartment::init call it (in bug 584860). Gary Kwong found this bug using jsfunfuzz and sent me a non-reduced testcase. I haven't attempted to reduce it.
I guess this is a dup of bug 622291.
(In reply to comment #1) > I guess this is a dup of bug 622291. Yeah, looks like it. I'm marking bug 622291 as the dup because it's comments are cluttered. Bug 623428 should fix the problem, which is that js::InitJIT() has various unchecked allocations.
Hrm. I left a comment there (bug 623428 comment 25).
Depends on: 624878
This should block 2.0, lots of possibilities for crashing on OOM.
blocking2.0: --- → ?
blocking2.0: ? → betaN+
Whiteboard: softblocker
Assignee: general → nnethercote
Bug 624878 just landed on TM, once it lands on m-c we can mark this one as fixed, as it fixed the OOM-crash identified here along with a bunch of others.
Per comment 6, bug 624878 just landed on m-c, so this bug is fixed.
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ operator new | js::InitJIT | JSCompartment::init]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: