Crash [@ js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox-esr78 | --- | wontfix |
firefox78 | --- | wontfix |
firefox79 | --- | wontfix |
firefox80 | --- | wontfix |
People
(Reporter: gkw, Unassigned)
References
(Regression)
Details
(Keywords: regression, testcase)
Crash Data
Attachments
(1 file)
(deleted),
text/plain
|
Details |
// Mixed in from js/src/jit-test/tests/regexp/huge-02.js
evalInWorker('RegExp(Array(1<<15).join("(") + Array(1<<15).join(")")).exec()');
Compiled using GCC 9.3.0 and Clang 9 with:
PKG_CONFIG_LIBDIR=/usr/lib/pkgconfig 'CC="clang -m32 -msse2 -mfpmath=sse"' 'CXX="clang++ -m32 -msse2 -mfpmath=sse"' AR=ar sh ./configure --target=i686-pc-linux --enable-debug --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
Run with:
--fuzzing-safe --ion-offthread-compile=off --ion-eager --no-baseline
Tested on m-c rev bd511bc456e4.
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ee1018a8611a
user: Iain Ireland
date: Sun May 10 16:00:26 2020 +0000
summary: Bug 1634135: Turn new regexp engine on by default in Nightly r=mgaudet
Highly unlikely this is bad, but I'll defer to Iain.
Reporter | ||
Comment 1•4 years ago
|
||
Stack as a comment:
0x57eeb4b5 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xf4fc0030) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h:342
342 in /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h
(gdb) bt
#0 0x57eeb4b5 in js::AutoEnterOOMUnsafeRegion::AutoEnterOOMUnsafeRegion (this=0xf4fc0030) at /home/skygentoo/shell-cache/js-dbg-32-linux-x86_64-bd511bc456e4/objdir-js/dist/include/js/Utility.h:342
#1 0x588ec07b in v8::internal::Zone::New (this=0xf50fc5f8, size=60) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/util/ZoneShim.h:28
#2 0x588ef1b8 in v8::internal::ZoneObject::operator new (size=60, zone=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/util/ZoneShim.h:54
#3 v8::internal::ActionNode::StorePosition (reg=53977, is_capture=<optimized out>, on_success=0xf430f380) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler.cc:636
#4 0x58914916 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a70, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:934
#5 v8::internal::RegExpCapture::ToNode (this=0xf4bc7a48, compiler=0xf50fc688, on_success=0xf430f380) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#6 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a48, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#7 v8::internal::RegExpCapture::ToNode (this=0xf4bc7a20, compiler=0xf50fc688, on_success=0xf430f330) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#8 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc7a20, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#9 v8::internal::RegExpCapture::ToNode (this=0xf4bc79f8, compiler=0xf50fc688, on_success=0xf430f2e0) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#10 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79f8, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#11 v8::internal::RegExpCapture::ToNode (this=0xf4bc79d0, compiler=0xf50fc688, on_success=0xf430f290) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#12 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79d0, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
#13 v8::internal::RegExpCapture::ToNode (this=0xf4bc79a8, compiler=0xf50fc688, on_success=0xf430f240) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:924
#14 0x58914926 in v8::internal::RegExpCapture::ToNode (body=0xf4bc79a8, index=<optimized out>, compiler=<optimized out>, on_success=<optimized out>) at /home/skygentoo/trees/mozilla-central/js/src/irregexp/imported/regexp-compiler-tonode.cc:935
/snip
Reporter | ||
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Set release status flags based on info from the regressing bug 1634135
Comment 3•4 years ago
|
||
Thanks for the report, Gary, but your suspicion is correct. This is the intended behaviour.
Irregexp does not handle OOM internally. Instead of rewriting the entire engine to add OOM failure paths, we just mark all allocations as OOM-unsafe. Note that this is not a web-compat issue, because we're running the same code as Chrome and should only crash in cases where V8 would also crash.
(This is a small part of my ongoing quest to remove small-OOM recovery from SM.)
Updated•4 years ago
|
Updated•4 years ago
|
Updated•1 year ago
|
Description
•