Closed Bug 652438 Opened 13 years ago Closed 13 years ago

TM: Crash [@ JSString::isLinear] on out-of-memory

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla6
Tracking Flags:
Tracking Status
firefox5 - ---

People

(Reporter: decoder, Assigned: luke)

Details

(Keywords: crash, testcase, Whiteboard: [sg:dos null-deref] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

fix
924 bytes, patch
Waldo
: review+
asa
: approval-mozilla-beta-
Details | Diff | Splinter Review 
The following testcase (IMPORTANT: run with "-A 500 -m -j" to limit the memory usage) crashes on TM revision a03a4fea1679 (tested on 32 bit):

function f()
{
}
function dosubst()
{
  var s = f;
  for (var i = 0; i < 18; i++)
  {
    s += s;
  }
  var index = s.indexOf(f);
  while(true) {
    dosubst();
  }
}
dosubst();


Backtrace (looks like a safe null-pointer deref):

out of memory
==2747== Invalid read of size 4
==2747==    at 0x807BBEE: JSString::isLinear() const (jsstr.h:289)
==2747==    by 0x807BEBC: JSLinearString::chars() const (jsstr.h:421)
==2747==    by 0x807BFAB: JSString::getChars(JSContext*) (jsstr.h:697)
==2747==    by 0x81B228E: str_indexOf(JSContext*, unsigned int, js::Value*) (jsstr.cpp:1448)
==2747==    by 0x57B1788: ???
==2747==    by 0x82857D0: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:684)
==2747==    by 0x82858F5: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:713)
==2747==    by 0x82859CA: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:730)
==2747==    by 0x832E3A9: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4699)
==2747==    by 0x8234FFC: js::RecordTracePoint(JSContext*, js::TraceMonitor*, unsigned int&, bool*, bool) (jstracer.cpp:16741)
==2747==    by 0x82356CD: js::MonitorTracePoint(JSContext*, unsigned int&, bool*, void**, unsigned int*, unsigned int*, unsigned int) (jstracer.cpp:16898)
==2747==    by 0x82F2984: RunTracer(js::VMFrame&, js::mjit::ic::TraceICInfo&) (InvokeHelpers.cpp:981)
==2747==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
Attached patch fixSplinter Review 
Well, it looks like in the heat of bug 613457 I seem to have "refactored" out the OOM check I added in bug 609440.  Sheesh, you'd think if anyone would know about fallible string chars...

Thanks for finding this!  The pesky string limits make it hard to make a fast-running shell test case that doesn't require special flags.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #528058 - Flags: review?(jwalden+bmo)
Attachment #528058 - Flags: review?(jwalden+bmo) → review+
http://hg.mozilla.org/tracemonkey/rev/a3e69f698ce3
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/a3e69f698ce3
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey → [sg:dos null-deref] fixed-in-tracemonkey
Comment on attachment 528058 [details] [diff] [review]
fix

We should consider landing this safe fix in Firefox 5: see bug 659920 comment 7
Attachment #528058 - Flags: approval-mozilla-beta?
It's definitely low risk.
tracking-firefox5: --- → ?
Target Milestone: --- → mozilla6
Comment on attachment 528058 [details] [diff] [review]
fix

too late in the Beta cycle for non critical bugs.
Attachment #528058 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Crash Signature: [@ JSString::isLinear]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: