The default bug view has changed. See this FAQ.

Crash [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject]

RESOLVED FIXED in Firefox 27

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks: 2 bugs, {crash, testcase})

Trunk
mozilla29
x86_64
Linux
crash, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox27 fixed, firefox28 fixed, firefox29 fixed)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
The following testcase crashes on mozilla-central revision 80a27198344a (run with --fuzzing-safe --ion-eager):


gcparam("maxBytes", gcparam("gcBytes") + 4*1024);
function foo() {
    var re = /erwe/;
    foo(re.multiline);
}
foo();
(Assignee)

Updated

3 years ago
Blocks: 912928
Crash Signature: [@ runtimeFromAnyThread] or Crash [@ operator->()] due to unhandled OOM in [@ js::CloneRegExpObject] → [@ runtimeFromAnyThread] [@ operator->()]
Whiteboard: [jsbugmon:update]
(Assignee)

Comment 1

3 years ago
Created attachment 8359227 [details] [diff] [review]
regexp-oom.patch

Simple fix.
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8359227 - Flags: review?(jdemooij)

Updated

3 years ago
Attachment #8359227 - Flags: review?(jdemooij) → review+
(Assignee)

Comment 2

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/e8366701a51b
https://hg.mozilla.org/mozilla-central/rev/e8366701a51b
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
(Assignee)

Updated

3 years ago
status-firefox27: --- → affected
status-firefox28: --- → affected
status-firefox29: --- → fixed
tracking-firefox27: --- → ?
tracking-firefox28: --- → ?
(Assignee)

Comment 4

3 years ago
Comment on attachment 8359227 [details] [diff] [review]
regexp-oom.patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 956293
User impact if declined: Crashes/Assertions in debug builds with OOM
Testing completed (on m-c, etc.): mozilla-central for a while
Risk to taking this patch (and alternatives if risky): None, this is debug only, and the fix is very simple.
String or IDL/UUID changes made by this patch: None.
Attachment #8359227 - Flags: approval-mozilla-beta?
Attachment #8359227 - Flags: approval-mozilla-aurora?

Updated

3 years ago
tracking-firefox27: ? → ---
tracking-firefox28: ? → ---

Updated

3 years ago
Attachment #8359227 - Flags: approval-mozilla-beta?
Attachment #8359227 - Flags: approval-mozilla-beta+
Attachment #8359227 - Flags: approval-mozilla-aurora?
Attachment #8359227 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 5

3 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/b4912bd395c7
https://hg.mozilla.org/releases/mozilla-beta/rev/840132b6f702
status-firefox27: affected → fixed
status-firefox28: affected → fixed
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.