Closed Bug 720675 Opened 13 years ago Closed 13 years ago

OOM Crash [@ JSString::isFlat] with NULL deref

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla13

People

(Reporter: decoder, Assigned: evilpies)

Details

(Keywords: crash, testcase, Whiteboard: js-triage-done)

Crash Data

Attachments

(1 file)

check for NULL before ->ensureFixed
1.37 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review
The following test crashes on mozilla-central revision 42368fe44c8c (options -m -n): gcparam("maxBytes", gcparam("gcBytes") + 4*1024); arr = [1e0, 5e1, 9e19, 0.1e20, 1.3e20, 1e20, 9e20, 9.99e20, 0.1e21, 1e21, 1e21+65537, 1e21+65536, 1e21-65536, 1]; for (var i = 0; i < 4000; i++) { arr.push(1e19 + i*1e19); } for (var i in arr) {} As far as I can tell, there is an OOM happening during the call to js_IntToString which causes the returned string to be NULL which is then again dereferenced without a further OOM (NULL) check. Let me know if that description is somewhat accurate :D
>As far as I can tell, there is an OOM happening during the call to >js_IntToString which causes >the returned string to be NULL which is then >again dereferenced without a further OOM (NULL) >check. Let me know if that >description is somewhat accurate :D Spot on! Some way or another we could probably also OOM, with ToStringSlow(cx, IdToValue(id)), but that probably involves some E4X, so I am out ;)
Attachment #591085 - Flags: review?(bhackett1024)
Assignee: general → evilpies
Whiteboard: js-triage-needed → js-triage-done
Attachment #591085 - Flags: review?(bhackett1024) → review+
OS: Linux → All
Hardware: x86_64 → All
Try run for 66e63166c199 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=66e63166c199 Results (out of 244 total builds): success: 177 warnings: 22 failure: 45 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-66e63166c199 Timed out after 06 hours without completing.
Try run for 153baab05b46 is complete. Detailed breakdown of the results available here: https://tbpl.mozilla.org/?tree=Try&rev=153baab05b46 Results (out of 206 total builds): success: 183 warnings: 23 Builds (or logs if builds failed) available at: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/evilpies@gmail.com-153baab05b46
https://hg.mozilla.org/mozilla-central/rev/196733360636
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug720675.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: