Last Comment Bug 959208 - Crash [@ js::BarrieredValue::pre] or Crash [@ getClass] due to unhandled OOM in CloneObject
: Crash [@ js::BarrieredValue::pre] or Crash [@ getClass] due to unhandled OOM ...
Status: VERIFIED FIXED
: sec-want
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla29
Assigned To: Christian Holler (:decoder)
:
: Jason Orendorff [:jorendorff]
Mentors:
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
 
Reported: 2014-01-13 08:00 PST by Christian Holler (:decoder)
Modified: 2014-03-21 07:02 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
clone-oom.patch (1.39 KB, patch)
2014-01-13 08:00 PST, Christian Holler (:decoder)
jdemooij: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2014-01-13 08:00:44 PST
Created attachment 8359260 [details] [diff] [review]
clone-oom.patch

This code in CloneObject does not check the return value of CloneFunctionObject before using it, causing crashes:

>     clone = CloneFunctionObject(cx, fun, cx->global(), kind, TenuredObject);
>     // To be able to re-lazify the cloned function, its name in the
>     // self-hosting compartment has to be stored on the clone.
>     if (hasName)
>         clone->as<JSFunction>().setExtendedSlot(0, StringValue(fun->atom()));

Patch attached.
Comment 1 User image Jan de Mooij [:jandem] 2014-01-13 08:02:17 PST
Comment on attachment 8359260 [details] [diff] [review]
clone-oom.patch

Review of attachment 8359260 [details] [diff] [review]:
-----------------------------------------------------------------

Good catch.
Comment 2 User image Christian Holler (:decoder) 2014-01-13 09:56:32 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/d86046660b1f
Comment 3 User image Ryan VanderMeulen [:RyanVM] 2014-01-13 14:48:51 PST
https://hg.mozilla.org/mozilla-central/rev/d86046660b1f
Comment 4 User image Ioana (away) 2014-03-21 07:02:02 PDT
Socorro shows no crashes with the signatures in this bug for the last 4 weeks.

Note You need to log in before you can comment on or make changes to this bug.