Created attachment 8347749 [details] [diff] [review]
I'm seeing a crash that seems to be caused by an unhandled nullptr returned by NewDenseUnallocatedArray in js::RegExpCompartment::getOrCreateMatchResultTemplateObject:
> HeapPtrObject &
> RegExpCompartment::getOrCreateMatchResultTemplateObject(JSContext *cx)
> /* Create template array object */
> RootedObject templateObject(cx, NewDenseUnallocatedArray(cx, 0, nullptr, TenuredObject));
> /* Set dummy index property */
> RootedValue index(cx, Int32Value(0));
> if (!baseops::DefineProperty(cx, templateObject, cx->names().index, index,
Looks like templateObject should be checked here. Patch attached.
Author: Hannes Verschore <> Thu Dec 12 16:43:52 2013
Committer: Hannes Verschore <> Thu Dec 12 16:43:52 2013
Bug 879402 - Use template object to faster set the input and index properties on CreateRegExpMatchResult, r=bhackett
Created attachment 8347941 [details] [diff] [review]
I forgot another one, looking at it again.
Comment on attachment 8347941 [details] [diff] [review]
Looks right :) So are you going to land this and I land my patch?
Landed both in one commit ;)
Can we trigger this crash manually on older builds, so we can verify that the crash does not occur in latest builds?
For OOM bugs, it's generally not possible to verify that they are gone, even if we have a test. The test can easily not reproduce on a newer build, simply because we don't OOM in the right spot anymore. That said, I haven't seen or hit this anymore in fuzzing or OOM testing, so I'd consider this verified nevertheless :)