Closed
Bug 652438
Opened 14 years ago
Closed 14 years ago
TM: Crash [@ JSString::isLinear] on out-of-memory
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla6
Tracking | Status | |
---|---|---|
firefox5 | - | --- |
People
(Reporter: decoder, Assigned: luke)
Details
(Keywords: crash, testcase, Whiteboard: [sg:dos null-deref] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
924 bytes,
patch
|
Waldo
:
review+
asa
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
The following testcase (IMPORTANT: run with "-A 500 -m -j" to limit the memory usage) crashes on TM revision a03a4fea1679 (tested on 32 bit):
function f()
{
}
function dosubst()
{
var s = f;
for (var i = 0; i < 18; i++)
{
s += s;
}
var index = s.indexOf(f);
while(true) {
dosubst();
}
}
dosubst();
Backtrace (looks like a safe null-pointer deref):
out of memory
==2747== Invalid read of size 4
==2747== at 0x807BBEE: JSString::isLinear() const (jsstr.h:289)
==2747== by 0x807BEBC: JSLinearString::chars() const (jsstr.h:421)
==2747== by 0x807BFAB: JSString::getChars(JSContext*) (jsstr.h:697)
==2747== by 0x81B228E: str_indexOf(JSContext*, unsigned int, js::Value*) (jsstr.cpp:1448)
==2747== by 0x57B1788: ???
==2747== by 0x82857D0: js::mjit::EnterMethodJIT(JSContext*, JSStackFrame*, void*, js::Value*) (MethodJIT.cpp:684)
==2747== by 0x82858F5: CheckStackAndEnterMethodJIT(JSContext*, JSStackFrame*, void*) (MethodJIT.cpp:713)
==2747== by 0x82859CA: js::mjit::JaegerShot(JSContext*) (MethodJIT.cpp:730)
==2747== by 0x832E3A9: js::Interpret(JSContext*, JSStackFrame*, unsigned int, JSInterpMode) (jsinterp.cpp:4699)
==2747== by 0x8234FFC: js::RecordTracePoint(JSContext*, js::TraceMonitor*, unsigned int&, bool*, bool) (jstracer.cpp:16741)
==2747== by 0x82356CD: js::MonitorTracePoint(JSContext*, unsigned int&, bool*, void**, unsigned int*, unsigned int*, unsigned int) (jstracer.cpp:16898)
==2747== by 0x82F2984: RunTracer(js::VMFrame&, js::mjit::ic::TraceICInfo&) (InvokeHelpers.cpp:981)
==2747== Address 0x0 is not stack'd, malloc'd or (recently) free'd
Assignee | ||
Comment 1•14 years ago
|
||
Well, it looks like in the heat of bug 613457 I seem to have "refactored" out the OOM check I added in bug 609440. Sheesh, you'd think if anyone would know about fallible string chars...
Thanks for finding this! The pesky string limits make it hard to make a fast-running shell test case that doesn't require special flags.
Updated•14 years ago
|
Attachment #528058 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 2•14 years ago
|
||
Whiteboard: fixed-in-tracemonkey
Comment 3•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Whiteboard: fixed-in-tracemonkey → [sg:dos null-deref] fixed-in-tracemonkey
Comment 4•14 years ago
|
||
Comment on attachment 528058 [details] [diff] [review]
fix
We should consider landing this safe fix in Firefox 5: see bug 659920 comment 7
Attachment #528058 -
Flags: approval-mozilla-beta?
Updated•14 years ago
|
Target Milestone: --- → mozilla6
Comment 6•14 years ago
|
||
Comment on attachment 528058 [details] [diff] [review]
fix
too late in the Beta cycle for non critical bugs.
Attachment #528058 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Updated•14 years ago
|
Updated•13 years ago
|
Crash Signature: [@ JSString::isLinear]
You need to log in
before you can comment on or make changes to this bug.
Description
•