Improper OOM check in DoCompareFallback

RESOLVED FIXED in Firefox 28

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks: 2 bugs, {crash})

Trunk
mozilla29
x86_64
Linux
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox28 fixed, firefox29 fixed)

Details

(Whiteboard: [qa-], crash signature)

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
Created attachment 8345050 [details] [diff] [review]
js-setNext-oom.patch

In js::jit::DoCompareFallback we have the following code:

>    ICStub *doubleStub = compiler.getStub(compiler.getStubSpace(script));
>    if (!stub)
>        return false;

I think this is either a typo or some tasty copy-pasta. I changed stub to doubleStub and it fixed another OOM crasher for me. Jandem, can you review the attached patch since it's your code?
Attachment #8345050 - Flags: review?(jdemooij)

Updated

3 years ago
Attachment #8345050 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 1

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/908680cb2773
Status: NEW → ASSIGNED
https://hg.mozilla.org/mozilla-central/rev/908680cb2773
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
(Assignee)

Updated

3 years ago
Duplicate of this bug: 914598
Christian: should this OOM fix be uplifted to Aurora 28 and Beta 27?
Flags: needinfo?(choller)
(Assignee)

Comment 5

3 years ago
This one can safely be uplifted to Aurora at least.
Flags: needinfo?(choller)
(Assignee)

Comment 6

3 years ago
Comment on attachment 8345050 [details] [diff] [review]
js-setNext-oom.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): N/A
User impact if declined: Crashes with OOM conditions
Testing completed (on m-c, etc.): A few days on mozilla-central
Risk to taking this patch (and alternatives if risky): Not risky, patch is just fixing a null check (fixing a typo).
String or IDL/UUID changes made by this patch: None
Attachment #8345050 - Flags: approval-mozilla-aurora?
Attachment #8345050 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
(Assignee)

Comment 7

3 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/8f29c6506b23
status-firefox28: --- → fixed
status-firefox29: --- → fixed
I don't think this needs QA verification. If anyone thinks that's a mistake please remove the [qa-] whiteboard tag and add the verifyme keyword.
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.