Last Comment Bug 959208 - Crash [@ js::BarrieredValue::pre] or Crash [@ getClass] due to unhandled OOM in CloneObject
: Crash [@ js::BarrieredValue::pre] or Crash [@ getClass] due to unhandled OOM ...
: sec-want
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
-- critical (vote)
: mozilla29
Assigned To: Christian Holler (:decoder)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz 912928
  Show dependency treegraph
Reported: 2014-01-13 08:00 PST by Christian Holler (:decoder)
Modified: 2014-03-21 07:02 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

clone-oom.patch (1.39 KB, patch)
2014-01-13 08:00 PST, Christian Holler (:decoder)
jdemooij: review+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2014-01-13 08:00:44 PST
Created attachment 8359260 [details] [diff] [review]

This code in CloneObject does not check the return value of CloneFunctionObject before using it, causing crashes:

>     clone = CloneFunctionObject(cx, fun, cx->global(), kind, TenuredObject);
>     // To be able to re-lazify the cloned function, its name in the
>     // self-hosting compartment has to be stored on the clone.
>     if (hasName)
>         clone->as<JSFunction>().setExtendedSlot(0, StringValue(fun->atom()));

Patch attached.
Comment 1 User image Jan de Mooij [:jandem] 2014-01-13 08:02:17 PST
Comment on attachment 8359260 [details] [diff] [review]

Review of attachment 8359260 [details] [diff] [review]:

Good catch.
Comment 2 User image Christian Holler (:decoder) 2014-01-13 09:56:32 PST
Comment 3 User image Ryan VanderMeulen [:RyanVM] 2014-01-13 14:48:51 PST
Comment 4 User image Ioana (away) 2014-03-21 07:02:02 PDT
Socorro shows no crashes with the signatures in this bug for the last 4 weeks.

Note You need to log in before you can comment on or make changes to this bug.