Closed Bug 959167 Opened 6 years ago Closed 6 years ago

Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject]

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla29
Tracking Status
firefox27 --- fixed
firefox28 --- fixed
firefox29 --- fixed

People

(Reporter: decoder, Assigned: decoder)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 80a27198344a (run with --fuzzing-safe --ion-eager):


gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function foo() {
    var re = /erwe/;
    foo(re.multiline);
}
foo();
Blocks: 912928
Crash Signature: [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject] → [@ runtimeFromAnyThread] [@ operator->()]
Whiteboard: [jsbugmon:update]
Attached patch regexp-oom.patchSplinter Review
Simple fix.
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8359227 - Flags: review?(jdemooij)
Attachment #8359227 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/e8366701a51b
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Comment on attachment 8359227 [details] [diff] [review]
regexp-oom.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 956293
User impact if declined: Crashes/Assertions in debug builds with OOM
Testing completed (on m-c, etc.): mozilla-central for a while
Risk to taking this patch (and alternatives if risky): None, this is debug only, and the fix is very simple.
String or IDL/UUID changes made by this patch: None.
Attachment #8359227 - Flags: approval-mozilla-beta?
Attachment #8359227 - Flags: approval-mozilla-aurora?
Attachment #8359227 - Flags: approval-mozilla-beta?
Attachment #8359227 - Flags: approval-mozilla-beta+
Attachment #8359227 - Flags: approval-mozilla-aurora?
Attachment #8359227 - Flags: approval-mozilla-aurora+
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.