Closed
Bug 103042
Opened 24 years ago
Closed 24 years ago
O(n**2) arena allocation in jsscan.c on long string literals
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla0.9.6
People
(Reporter: brendan, Assigned: brendan)
References
()
Details
(Keywords: js1.5)
Attachments
(1 file)
|
1.43 KB,
patch
|
jband_mozilla
:
review+
shaver
:
superreview+
|
Details | Diff | Splinter Review |
See the URL. Fix coming up.
/be
|
Assignee | |
Updated•24 years ago
|
Status: NEW → ASSIGNED
Keywords: js1.5,
mozilla0.9.6
Priority: -- → P1
Target Milestone: --- → mozilla0.9.6
|
|
Assignee | |
Comment 1•24 years ago
|
||
|
||
Comment 2•24 years ago
|
||
Comment on attachment 51994 [details] [diff] [review]
proposed fix, please review
> if (!base) {
>- JS_ARENA_ALLOCATE_CAST(base, jschar *, pool, tbincr);
>+ tbsize = TBMIN * sizeof(jschar);
>+ length = TBMIN;
>+ JS_ARENA_ALLOCATE_CAST(base, jschar *, pool, tbsize);
> } else {
>- tbsize = (size_t)(length * sizeof(jschar));
>- JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbincr);
>+ length = PTRDIFF(tb->limit, base, jschar);
>+ tbsize = length * sizeof(jschar);
>+ length <<= 1;
>+ JS_ARENA_GROW_CAST(base, jschar *, pool, tbsize, tbsize);
> }
> if (!base) {
> JS_ReportOutOfMemory(cx);
> return JS_FALSE;
> }
> tb->base = base;
>- tb->limit = base + length + length + TBINCR;
>+ tb->limit = base + length;
So based on my reading of this, we never really grow, and we might well
crash, since limit overstates the allocation.
Shouldn't we be shifting length before we use it to compute tbsize for
reallocation?
|
|
Assignee | |
Comment 3•24 years ago
|
||
shaver, give me some credit here! Note that the patch passes tbsize and the
size and incr parameters (final two) to JS_ARENA_GROW_CAST, which has the direct
effect of doubling the current allocation size. We update length after
computing tbsize for this reason. Both tbsize+tbsize and length<<=1 double the
byte- and jschar-reckoned "sizes", and in the right order.
/be
|
|
||
Comment 4•24 years ago
|
||
Comment on attachment 51994 [details] [diff] [review]
proposed fix, please review
I hate being stupid. You're right, of course.
sr=shaver
Attachment #51994 -
Flags: superreview+
|
|
Assignee | |
Comment 5•24 years ago
|
||
waterson, this was the patch I mentioned, that might help reduce the bloatblame
attributed (due to dlsym limitations) to js_MatchToken.
Anyone -- I need an r=, I'd like to get this patch in.
/be
|
|
||
Comment 6•24 years ago
|
||
Comment on attachment 51994 [details] [diff] [review]
proposed fix, please review
r=jband
Attachment #51994 -
Flags: review+
|
|
Assignee | |
Comment 7•24 years ago
|
||
Fix is in.
/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•