Last Comment Bug 698584 - OOM crash [@ JSString::isLinear] with regular expression
: OOM crash [@ JSString::isLinear] with regular expression
Status: RESOLVED FIXED
js-triage-needed
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: ARM Linux
: -- critical (vote)
: mozilla10
Assigned To: Tom Schuster [:evilpie]
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on: 702182
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-10-31 14:15 PDT by Christian Holler (:decoder)
Modified: 2014-02-06 09:00 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
wip (676 bytes, patch)
2011-10-31 14:25 PDT, Tom Schuster [:evilpie]
no flags Details | Diff | Splinter Review
v1 (1.22 KB, patch)
2011-11-01 12:50 PDT, Tom Schuster [:evilpie]
mrbkap: review+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2011-10-31 14:15:20 PDT
The following test crashes on mozilla-central revision 322354df233d (options -m -n -a), armv7-a arch only (I am not sure if this is an ARM issue or if it's due to the memory restrictions of the ARM board):


const MAX = 10000;
var str = "";
for (var i = 0; i < MAX; ++i) {
    /x/.test(str);
    str += str + 'xxxxxxxxxxxxxx';
}

Backtrace of crash:

Program received signal SIGSEGV, Segmentation fault.
0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
329             return (d.lengthAndFlags & LINEAR_MASK) == LINEAR_FLAGS;
(gdb) bt
#0  0x00042d26 in JSString::isLinear (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:329
#1  0x00042fbc in JSLinearString::chars (this=0x0) at /home/decoder/LangFuzz/mozilla-central/js/src/vm/String.h:457
#2  0x0020a194 in ExecuteRegExp (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, argc=1, vp=0x4048e058)
    at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:538
#3  0x0020a3cc in js::regexp_test (cx=0x4a2b38, argc=1, vp=0x4048e058) at /home/decoder/LangFuzz/mozilla-central/js/src/builtin/RegExp.cpp:590
#4  0x000f0dba in js::CallJSNative (cx=0x4a2b38, native=0x20a3b1 <js::regexp_test(JSContext*, uintN, JS::Value*)>, args=...) at ../jscntxtinlines.h:297
#5  0x00300c00 in CallCompiler::generateNativeStub (this=0xbedd6300) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:939
#6  0x002fcdd6 in js::mjit::ic::NativeCall (f=..., ic=0x4a7c98) at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MonoIC.cpp:1173
#7  0x0028966e in JaegerStubVeneer () at /home/decoder/LangFuzz/mozilla-central/js/src/methodjit/MethodJIT.cpp:164
#8  0x4089165c in ?? ()


I think this could be an allocation failing due to oom where the allocating function returns NULL instead and the error is not checked, leading to a null-deref (not security relevant in that case).
Comment 1 Tom Schuster [:evilpie] 2011-10-31 14:25:55 PDT
Created attachment 570845 [details] [diff] [review]
wip

Untested but should fix this.
Comment 2 Mozilla RelEng Bot 2011-11-01 11:20:27 PDT
Try run for 5a1614379c50 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=5a1614379c50
Results (out of 19 total builds):
    success: 14
    warnings: 5
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-5a1614379c50
Comment 3 Tom Schuster [:evilpie] 2011-11-01 12:50:54 PDT
Created attachment 571114 [details] [diff] [review]
v1

Not sure how to test, but didn't crash on Android test run.
Comment 4 Matt Brubeck (:mbrubeck) 2011-11-03 15:26:40 PDT
Backed out along with bug 430927 because of test failures on inbound:
https://hg.mozilla.org/integration/mozilla-inbound/rev/04505e53439e

This patch can re-land if it is not responsible for the test failures.
Comment 5 Mozilla RelEng Bot 2011-11-04 11:20:22 PDT
Try run for 57e8ba5a8d21 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=57e8ba5a8d21
Results (out of 18 total builds):
    exception: 16
    failure: 2
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-57e8ba5a8d21
Comment 6 Mozilla RelEng Bot 2011-11-04 13:50:52 PDT
Try run for a45235903f82 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=a45235903f82
Results (out of 88 total builds):
    exception: 41
    success: 5
    warnings: 3
    failure: 39
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-a45235903f82
Comment 7 Mozilla RelEng Bot 2011-11-04 18:00:47 PDT
Try run for 2d87fa073ff9 is complete.
Detailed breakdown of the results available here:
    https://tbpl.mozilla.org/?tree=Try&rev=2d87fa073ff9
Results (out of 193 total builds):
    success: 184
    warnings: 9
Builds available at http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-2d87fa073ff9
Comment 9 Marco Bonardo [::mak] 2011-11-07 03:43:59 PST
https://hg.mozilla.org/mozilla-central/rev/9a95c40a398d
Comment 10 Christian Holler (:decoder) 2013-01-14 08:12:18 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug698584.js.

Note You need to log in before you can comment on or make changes to this bug.