Last Comment Bug 959167 - Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject]
: Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM...
: crash, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla29
Assigned To: Christian Holler (:decoder)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
Reported: 2014-01-13 06:38 PST by Christian Holler (:decoder)
Modified: 2014-01-23 14:02 PST (History)
5 users (show) in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

regexp-oom.patch (782 bytes, patch)
2014-01-13 06:43 PST, Christian Holler (:decoder)
jdemooij: review+
bajaj.bhavana: approval‑mozilla‑aurora+
bajaj.bhavana: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2014-01-13 06:38:25 PST
The following testcase crashes on mozilla-central revision 80a27198344a (run with --fuzzing-safe --ion-eager):

gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function foo() {
    var re = /erwe/;
Comment 1 User image Christian Holler (:decoder) 2014-01-13 06:43:47 PST
Created attachment 8359227 [details] [diff] [review]

Simple fix.
Comment 2 User image Christian Holler (:decoder) 2014-01-13 06:49:56 PST
Comment 3 User image Ryan VanderMeulen [:RyanVM] 2014-01-13 14:49:33 PST
Comment 4 User image Christian Holler (:decoder) 2014-01-21 03:52:24 PST
Comment on attachment 8359227 [details] [diff] [review]

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 956293
User impact if declined: Crashes/Assertions in debug builds with OOM
Testing completed (on m-c, etc.): mozilla-central for a while
Risk to taking this patch (and alternatives if risky): None, this is debug only, and the fix is very simple.
String or IDL/UUID changes made by this patch: None.

Note You need to log in before you can comment on or make changes to this bug.