The default bug view has changed. See this FAQ.

Crash [@ get] due to unhandled OOM in js::RegExpCompartment::getOrCreateMatchResultTemplateObject

RESOLVED FIXED in mozilla29

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks: 2 bugs, {crash})

Trunk
mozilla29
x86_64
Linux
crash
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

Attachments

(2 attachments)

(Assignee)

Description

3 years ago
Created attachment 8347749 [details] [diff] [review]
js-regexp-oom.patch

I'm seeing a crash that seems to be caused by an unhandled nullptr returned by NewDenseUnallocatedArray in js::RegExpCompartment::getOrCreateMatchResultTemplateObject:

> HeapPtrObject &
> RegExpCompartment::getOrCreateMatchResultTemplateObject(JSContext *cx)
> {
[...]
>    /* Create template array object */
>    RootedObject templateObject(cx, NewDenseUnallocatedArray(cx, 0, nullptr, TenuredObject));
>
>    /* Set dummy index property */
>    RootedValue index(cx, Int32Value(0));
>    if (!baseops::DefineProperty(cx, templateObject, cx->names().index, index,


Looks like templateObject should be checked here. Patch attached.

Regressed by:

commit c60befbddce89cabfab9161a267cff85bd25ad1d
Author:	Hannes Verschore <>  Thu Dec 12 16:43:52 2013
Committer:	Hannes Verschore <> Thu Dec 12 16:43:52 2013

Bug 879402 - Use template object to faster set the input and index properties on CreateRegExpMatchResult, r=bhackett
Attachment #8347749 - Flags: review?(hv1989)
Created attachment 8347941 [details] [diff] [review]
patch2

I forgot another one, looking at it again.
Attachment #8347941 - Flags: review?(choller)
Attachment #8347749 - Flags: review?(hv1989) → review+
(Assignee)

Comment 2

3 years ago
Comment on attachment 8347941 [details] [diff] [review]
patch2

Looks right :) So are you going to land this and I land my patch?
Attachment #8347941 - Flags: review?(choller) → review+
Landed both in one commit ;)

https://hg.mozilla.org/integration/mozilla-inbound/rev/a1c997b8c052
https://hg.mozilla.org/mozilla-central/rev/a1c997b8c052
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

Updated

3 years ago
Keywords: verifyme
Can we trigger this crash manually on older builds, so we can verify that the crash does not occur in latest builds?
Flags: needinfo?(choller)
(Assignee)

Comment 6

3 years ago
For OOM bugs, it's generally not possible to verify that they are gone, even if we have a test. The test can easily not reproduce on a newer build, simply because we don't OOM in the right spot anymore. That said, I haven't seen or hit this anymore in fuzzing or OOM testing, so I'd consider this verified nevertheless :)
Flags: needinfo?(choller)

Updated

3 years ago
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.