Note: There are a few cases of duplicates in user autocompletion which are being worked on.

OOM crash [@ JSString::isLinear] with regular expression

RESOLVED FIXED in mozilla10



JavaScript Engine
6 years ago
4 years ago


(Reporter: decoder, Assigned: evilpie)


(Blocks: 1 bug, {crash, testcase})

crash, testcase
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)


(Whiteboard: js-triage-needed, crash signature)


(1 attachment, 1 obsolete attachment)



6 years ago
The following test crashes on mozilla-central revision 322354df233d (options -m -n -a), armv7-a arch only (I am not sure if this is an ARM issue or if it's due to the memory restrictions of the ARM board):

const MAX = 10000;
var str = "";
for (var i = 0; i < MAX; ++i) {
    str += str + 'xxxxxxxxxxxxxx';

Backtrace of crash:

Program received signal SIGSEGV, Segmentation fault.
0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
329             return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0  0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
#1  0x00042fbc in JSLinearString::chars (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:457
#2  0x0020a194 in ExecuteRegExp (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, argc=1, vp=0x4048e058)
    at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:538
#3  0x0020a3cc in js::regexp_test (cx=0x4a2b38, argc=1, vp=0x4048e058) at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:590
#4  0x000f0dba in js::CallJSNative (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:297
#5  0x00300c00 in CallCompiler::generateNativeStub (this=0xbedd6300) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:939
#6  0x002fcdd6 in js::mjit::ic::NativeCall (f=..., ic=0x4a7c98) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1173
#7  0x0028966e in JaegerStubVeneer () at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:164
#8  0x4089165c in ?? ()

I think this could be an allocation failing due to oom where the allocating function returns NULL instead and the error is not checked, leading to a null-deref (not security relevant in that case).


6 years ago
Whiteboard: js-triage-needed
Assignee: general → evilpies
Created attachment 570845 [details] [diff] [review]

Untested but should fix this.

Comment 2

6 years ago
Try run for 5a1614379c50 is complete.
Detailed breakdown of the results available here:
Results (out of 19 total builds):
    success: 14
    warnings: 5
Builds available at
Created attachment 571114 [details] [diff] [review]

Not sure how to test, but didn't crash on Android test run.
Attachment #570845 - Attachment is obsolete: true
Attachment #571114 - Flags: review?(mrbkap)


6 years ago
Attachment #571114 - Flags: review?(mrbkap) → review+
Backed out along with bug 430927 because of test failures on inbound:

This patch can re-land if it is not responsible for the test failures.

Comment 5

6 years ago
Try run for 57e8ba5a8d21 is complete.
Detailed breakdown of the results available here:
Results (out of 18 total builds):
    exception: 16
    failure: 2
Builds available at

Comment 6

6 years ago
Try run for a45235903f82 is complete.
Detailed breakdown of the results available here:
Results (out of 88 total builds):
    exception: 41
    success: 5
    warnings: 3
    failure: 39
Builds available at

Comment 7

6 years ago
Try run for 2d87fa073ff9 is complete.
Detailed breakdown of the results available here:
Results (out of 193 total builds):
    success: 184
    warnings: 9
Builds available at
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla10


6 years ago
Depends on: 702182

Comment 10

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug698584.js.
Flags: in-testsuite+
See Also: → bug 967467
You need to log in before you can comment on or make changes to this bug.