Crash on Heap with possible OOM

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
5 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Linux
crash, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:])

(Reporter)

Description

5 years ago
The following testcase crashes on mozilla-central revision 690b5e0f6562 (run with --ion-eager):


function reportCompare (expected, actual, description) {
    return actual == expected;
}
var UBound = 0;
var cnGlobal = this.toString();
var cnObject = (new Object).toString();
var statusitems = [];
var actualvalues = [];
var expectedvalues = [];
capture(this.toString());
capture(-12346);
expectedvalues[0] = cnGlobal;
expectedvalues[1] = cnObject;
test();
function capture(val) {
  actualvalues[UBound] = val;
  UBound++;
}
function test() {
  for (var i=0; i<UBound; i++)
    reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
}
Any crash stack? Regression window? possible developer to involve?
Flags: needinfo?(choller)
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect,ignore]
(Reporter)

Comment 2

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision b842d26dd5f0).
Flags: needinfo?(choller)
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect,ignore] → [jsbugmon:bisectfix]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:bisectfix] → [jsbugmon:]
(Reporter)

Comment 3

5 years ago
JSBugMon: Fix Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   130564:b035b05f6a18
user:        Brian Hackett
date:        Wed May 01 18:07:36 2013 -0600
summary:     Bug 866765 - Refactor compilation of JSOP_SETELEM to only pop operands at one point, r=dvander.

This iteration took 329.691 seconds to run.
(Reporter)

Comment 4

5 years ago
Brian, is the bug in comment 3 likely fixing the crash?
Flags: needinfo?(bhackett1024)
Can't say for sure without a stack, but why not?
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → WORKSFORME
Group: core-security
You need to log in before you can comment on or make changes to this bug.