Last Comment Bug 959167 - Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject]
: Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM...
Status: RESOLVED FIXED
[jsbugmon:update]
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla29
Assigned To: Christian Holler (:decoder)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2014-01-13 06:38 PST by Christian Holler (:decoder)
Modified: 2014-01-23 14:02 PST (History)
5 users (show)
anthony.s.hughes: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
fixed
fixed
fixed


Attachments
regexp-oom.patch (782 bytes, patch)
2014-01-13 06:43 PST, Christian Holler (:decoder)
jdemooij: review+
bajaj.bhavana: approval‑mozilla‑aurora+
bajaj.bhavana: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2014-01-13 06:38:25 PST
The following testcase crashes on mozilla-central revision 80a27198344a (run with --fuzzing-safe --ion-eager):


gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function foo() {
    var re = /erwe/;
    foo(re.multiline);
}
foo();
Comment 1 User image Christian Holler (:decoder) 2014-01-13 06:43:47 PST
Created attachment 8359227 [details] [diff] [review]
regexp-oom.patch

Simple fix.
Comment 2 User image Christian Holler (:decoder) 2014-01-13 06:49:56 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/e8366701a51b
Comment 3 User image Ryan VanderMeulen [:RyanVM] 2014-01-13 14:49:33 PST
https://hg.mozilla.org/mozilla-central/rev/e8366701a51b
Comment 4 User image Christian Holler (:decoder) 2014-01-21 03:52:24 PST
Comment on attachment 8359227 [details] [diff] [review]
regexp-oom.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 956293
User impact if declined: Crashes/Assertions in debug builds with OOM
Testing completed (on m-c, etc.): mozilla-central for a while
Risk to taking this patch (and alternatives if risky): None, this is debug only, and the fix is very simple.
String or IDL/UUID changes made by this patch: None.

Note You need to log in before you can comment on or make changes to this bug.