Closed
Bug 131904
Opened 24 years ago
Closed 24 years ago
OOM in CreateScopeTable crashes js_SearchScope
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.0
People
(Reporter: scole, Assigned: brendan)
Details
(Keywords: js1.5)
Attachments
(1 file)
|
1.47 KB,
patch
|
khanson
:
review+
jband_mozilla
:
superreview+
scc
:
approval+
|
Details | Diff | Splinter Review |
We're actually getting far enough to run JS input files now. This Out-Of-Memory
crash happens trying to run one of the ECMA Array testsuites:
Memory Failure Location
CreateScopeTable(JSScope * 0x0013b550) line 119 + 11 bytes
js_AddScopeProperty(JSContext * 0x00163ca8, JSScope * 0x0013b550, long
0x0014c9a0, int (JSContext *, JSObject *, long, long *)* 0x100385e0
fun_getProperty(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x00000000, unsigned int 0xffffffff, unsigned int
0x00000046, unsigned int 0x00000008, int 0xfffffff9) line 1145 + 9 bytes
js_DefineNativeProperty(JSContext * 0x00163ca8, JSObject * 0x00157760, long
0x0014c9a0, long 0x80000001, int (JSContext *, JSObject *, long, long *)*
0x100385e0 fun_getProperty(JSContext *, JSObject *, long, long *), int
(JSContext *, JSObject *, long, long *)* 0x1000125d _JS_PropertyStub, unsigned
int 0x00000046, unsigned int 0x00000008, int 0xfffffff9, JSProperty * * ...) line 20
DefineProperty(JSContext * 0x00163ca8, JSObject * 0x00157760, const char *
0x100eed90 _js_caller_str, long 0x80000001, int (JSContext *, JSObject *, long,
long *)* 0x00000000, int (JSContext *, JSObject *, long, long *)* 0x00000000,
unsigned int 0x00000046, unsigned int 0x00000008, int 0xfffffff9) line 2046 + 43
bytes
JS_DefineProperties(JSContext * 0x00163ca8, JSObject * 0x00157760, const
JSPropertySpec * 0x100ffac8) line 2125 + 57 bytes
JS_InitClass(JSContext * 0x00163ca8, JSObject * 0x00157740, JSObject *
0x00000000, JSClass * 0x100ffae8 _js_FunctionClass, int (JSContext *, JSObject
*, unsigned int, long *, long *)* 0x1003ab80 Function(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 0x00000001, const JSPropertySpec *
0x100ffa88 function_props, const JSFunctionSpec * ...) line 1859 + 23 bytes
js_InitFunctionClass(JSContext * 0x00163ca8, JSObject * 0x00157740) line 1870 +
41 bytes
InitFunctionAndObjectClasses(JSContext * 0x00163ca8, JSObject * 0x00157740) line
1073 + 13 bytes
JS_ResolveStandardClass(JSContext * 0x00163ca8, JSObject * 0x00157740, long
0x00157484, int * 0x0012fa40) line 1347 + 11 bytes
global_resolve(JSContext * 0x00163ca8, JSObject * 0x00157740, long 0x00157484,
unsigned int 0x00000000, JSObject * * 0x0012fb00) line 1921 + 22 bytes
js_LookupProperty(JSContext * 0x00163ca8, JSObject * 0x00157740, long
0x0014c5c8, JSObject * * 0x0012fbbc, JSProperty * * 0x0012fbb8) line 2230 + 50 bytes
FindConstructor(JSContext * 0x00163ca8, JSObject * 0x00000000, const char *
0x100eed2c _js_Function_str, long * 0x0012fc3c) line 1716 + 31 bytes
GetClassPrototype(JSContext * 0x00163ca8, JSObject * 0x00157740, const char *
0x100eed2c _js_Function_str, JSObject * * 0x0012fce0) line 3214 + 21 bytes
js_NewObject(JSContext * 0x00163ca8, JSClass * 0x100ffae8 _js_FunctionClass,
JSObject * 0x00000000, JSObject * 0x00157740) line 1619 + 23 bytes
js_NewFunction(JSContext * 0x00163ca8, JSObject * 0x00000000, int (JSContext *,
JSObject *, unsigned int, long *, long *)* 0x00401020 Version(JSContext *,
JSObject *, unsigned int, long *, long *), unsigned int 0x00000000, unsigned int
0x00000000, JSObject * 0x00157740, JSAtom * 0x0013b3d8) line 1914 + 20 bytes
js_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157740, JSAtom *
0x0013b3d8, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x00401020 Version(JSContext *, JSObject *, unsigned int, long *, long *),
unsigned int 0x00000000, unsigned int 0x00000000) line 1978 + 31 bytes
JS_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157740, const char *
0x004176c4 ??_C@_07BPOH@version?$AA@, int (JSContext *, JSObject *, unsigned
int, long *, long *)* 0x00401020 Version(JSContext *, JSObject *, unsigned int,
long *, long *), unsigned int 0x00000000, unsigned int 0x00000000) line 2816 +
29 bytes
JS_DefineFunctions(JSContext * 0x00163ca8, JSObject * 0x00157740, const
JSFunctionSpec * 0x00418450 shell_functions) line 2798 + 44 bytes
orig_main(int 0x00000004, char * * 0x00301c44) line 2077 + 19 bytes
main(int 0x00000005, char * * 0x00301c40) line 2163 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
KERNEL32! 77f1bbb5()
ABR (Purify "Array Bounds Read" error) at
js_SearchScope(JSScope * 0x001a1128, long 0x00181f60, int 0x00000001) line 266 +
17 bytes
CreateScopeTable(JSScope * 0x001a1128) line 124 + 62 bytes
js_AddScopeProperty(JSContext * 0x001afb20, JSScope * 0x001a1128, long
0x00181f60, int (JSContext *, JSObject *, long, long *)* 0x1007ea70
fun_getProperty(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x00000000, unsigned int 0x00000007, unsigned int
0x00000000, unsigned int 0x00000000, int 0x00000000) line 1145 + 21 bytes
js_DefineNativeProperty(JSContext * 0x001afb20, JSObject * 0x00192b60, long
0x00181f60, long 0x00192b70, int (JSContext *, JSObject *, long, long *)*
0x1007ea70 fun_getProperty(JSContext *, JSObject *, long, long *), int
(JSContext *, JSObject *, long, long *)* 0x1000125d @ILT+600(_JS_Init+11440),
unsigned int 0x00000000, unsigned int 0x00000000, int 0x00000000, ...) line 2064
+ 13
js_DefineProperty(JSContext * 0x001afb20, JSObject * 0x00192b60, long
0x00181f60, long 0x00192b70, int (JSContext *, JSObject *, long, long *)*
0x00000000, int (JSContext *, JSObject *, long, long *)* 0x00000000, unsigned
int 0x00000000, JSProperty * * 0x00000000) line 1980 + 137 bytes
js_DefineFunction(JSContext * 0x001afb20, JSObject * 0x00192b60, JSAtom *
0x00181f60, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x10082360 fun_toSource(JSContext *, JSObject *, unsigned int, long *, long *),
unsigned int 0x00000000, unsigned int 0x00000000) line 1982 + 159 bytes
JS_DefineFunction(JSContext * 0x001afb20, JSObject * 0x00192b60, const char *
0x101afe14 _js_toSource_str, int (JSContext *, JSObject *, unsigned int, long *,
long *)* 0x10082360 fun_toSource(JSContext *, JSObject *, unsigned int, long *,
long *), unsigned int 0x00000000, unsigned int 0x00000000) line 2816 + 101 bytes
JS_DefineFunctions(JSContext * 0x001afb20, JSObject * 0x00192b60, const
JSFunctionSpec * 0x101c0b30 function_methods) line 2798 + 155 bytes
JS_InitClass(JSContext * 0x001afb20, JSObject * 0x00192b40, JSObject *
0x00000000, JSClass * 0x101c0ae8 _js_FunctionClass, int (JSContext *, JSObject
*, unsigned int, long *, long *)* 0x10083f80 Function(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 0x00000001, const JSPropertySpec *
0x101c0a88 function_props, const JSFunctionSpec * ...) line 1859 + 149 bytes
js_InitFunctionClass(JSContext * 0x001afb20, JSObject * 0x00192b40) line 1870 +
113 bytes
InitFunctionAndObjectClasses(JSContext * 0x001afb20, JSObject * 0x00192b40) line
1073 + 37 bytes
JS_ResolveStandardClass(JSContext * 0x001afb20, JSObject * 0x00192b40, long
0x00192884, int * 0x0013f994) line 1347 + 35 bytes
global_resolve(JSContext * 0x001afb20, JSObject * 0x00192b40, long 0x00192884,
unsigned int 0x00000000, JSObject * * 0x0013fa54) line 1921 + 83 bytes
js_LookupProperty(JSContext * 0x001afb20, JSObject * 0x00192b40, long
0x00152098, JSObject * * 0x0013fb10, JSProperty * * 0x0013fb0c) line 2230 + 157
bytes
FindConstructor(JSContext * 0x001afb20, JSObject * 0x00000000, const char *
0x101afd2c _js_Function_str, long * 0x0013fb90) line 1716 + 126 bytes
GetClassPrototype(JSContext * 0x001afb20, JSObject * 0x00192b40, const char *
0x101afd2c _js_Function_str, JSObject * * 0x0013fc34) line 3214 + 69 bytes
js_NewObject(JSContext * 0x001afb20, JSClass * 0x101c0ae8 _js_FunctionClass,
JSObject * 0x00000000, JSObject * 0x00192b40) line 1619 + 80 bytes
js_NewFunction(JSContext * 0x001afb20, JSObject * 0x00000000, int (JSContext *,
JSObject *, unsigned int, long *, long *)* 0x00401020 Version(JSContext *,
JSObject *, unsigned int, long *, long *), unsigned int 0x00000000, unsigned int
0x00000000, JSObject * 0x00192b40, JSAtom * 0x0015f730) line 1914 + 56 bytes
js_DefineFunction(JSContext * 0x001afb20, JSObject * 0x00192b40, JSAtom *
0x0015f730, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x00401020 Version(JSContext *, JSObject *, unsigned int, long *, long *),
unsigned int 0x00000000, unsigned int 0x00000000) line 1978 + 103 bytes
JS_DefineFunction(JSContext * 0x001afb20, JSObject * 0x00192b40, const char *
0x0041d6c4 ??_C@_07BPOH@version?$AA@, int (JSContext *, JSObject *, unsigned
int, long *, long *)* 0x00401020 Version(JSContext *, JSObject *, unsigned int,
long *, long *), unsigned int 0x00000000, unsigned int 0x00000000) line 2816 +
101 bytes
JS_DefineFunctions(JSContext * 0x001afb20, JSObject * 0x00192b40, const
JSFunctionSpec * 0x0041e450 shell_functions) line 2798 + 155 bytes
orig_main(int 0x00000004, char * * 0x01fe1634) line 2077 + 68 bytes
main(int 0x00000005, char * * 0x01fe1630) line 2163 + 37 bytes
mainCRTStartup() line 338 + 53 bytes
Crash at: (sprop looks like uninitialized data)
js_SearchScope(JSScope * 0x0013b550, long 0x0014cec8, int 0x00000001) line 274 +
9 bytes
CreateScopeTable(JSScope * 0x0013b550) line 124 + 17 bytes
js_AddScopeProperty(JSContext * 0x00163ca8, JSScope * 0x0013b550, long
0x0014cec8, int (JSContext *, JSObject *, long, long *)* 0x100385e0
fun_getProperty(JSContext *, JSObject *, long, long *), int (JSContext *,
JSObject *, long, long *)* 0x00000000, unsigned int 0x00000007, unsigned int
0x00000000, unsigned int 0x00000000, int 0x00000000) line 1145 + 9 bytes
js_DefineNativeProperty(JSContext * 0x00163ca8, JSObject * 0x00157760, long
0x0014cec8, long 0x00157770, int (JSContext *, JSObject *, long, long *)*
0x100385e0 fun_getProperty(JSContext *, JSObject *, long, long *), int
(JSContext *, JSObject *, long, long *)* 0x1000125d _JS_PropertyStub, unsigned
int 0x00000000, unsigned int 0x00000000, int 0x00000000, JSProperty * * ...) line 20
js_DefineProperty(JSContext * 0x00163ca8, JSObject * 0x00157760, long
0x0014cec8, long 0x00157770, int (JSContext *, JSObject *, long, long *)*
0x00000000, int (JSContext *, JSObject *, long, long *)* 0x00000000, unsigned
int 0x00000000, JSProperty * * 0x00000000) line 1980 + 41 bytes
js_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157760, JSAtom *
0x0014cec8, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x10039fc0 fun_toSource(JSContext *, JSObject *, unsigned int, long *, long *),
unsigned int 0x00000000, unsigned int 0x00000000) line 1982 + 42 bytes
JS_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157760, const char *
0x100eee14 _js_toSource_str, int (JSContext *, JSObject *, unsigned int, long *,
long *)* 0x10039fc0 fun_toSource(JSContext *, JSObject *, unsigned int, long *,
long *), unsigned int 0x00000000, unsigned int 0x00000000) line 2816 + 29 bytes
JS_DefineFunctions(JSContext * 0x00163ca8, JSObject * 0x00157760, const
JSFunctionSpec * 0x100ffb30 function_methods) line 2798 + 44 bytes
JS_InitClass(JSContext * 0x00163ca8, JSObject * 0x00157740, JSObject *
0x00000000, JSClass * 0x100ffae8 _js_FunctionClass, int (JSContext *, JSObject
*, unsigned int, long *, long *)* 0x1003ab80 Function(JSContext *, JSObject *,
unsigned int, long *, long *), unsigned int 0x00000001, const JSPropertySpec *
0x100ffa88 function_props, const JSFunctionSpec * ...) line 1859 + 53 bytes
js_InitFunctionClass(JSContext * 0x00163ca8, JSObject * 0x00157740) line 1870 +
41 bytes
InitFunctionAndObjectClasses(JSContext * 0x00163ca8, JSObject * 0x00157740) line
1073 + 13 bytes
JS_ResolveStandardClass(JSContext * 0x00163ca8, JSObject * 0x00157740, long
0x00157484, int * 0x0012fa40) line 1347 + 11 bytes
global_resolve(JSContext * 0x00163ca8, JSObject * 0x00157740, long 0x00157484,
unsigned int 0x00000000, JSObject * * 0x0012fb00) line 1921 + 22 bytes
js_LookupProperty(JSContext * 0x00163ca8, JSObject * 0x00157740, long
0x0014c5c8, JSObject * * 0x0012fbbc, JSProperty * * 0x0012fbb8) line 2230 + 50 bytes
FindConstructor(JSContext * 0x00163ca8, JSObject * 0x00000000, const char *
0x100eed2c _js_Function_str, long * 0x0012fc3c) line 1716 + 31 bytes
GetClassPrototype(JSContext * 0x00163ca8, JSObject * 0x00157740, const char *
0x100eed2c _js_Function_str, JSObject * * 0x0012fce0) line 3214 + 21 bytes
js_NewObject(JSContext * 0x00163ca8, JSClass * 0x100ffae8 _js_FunctionClass,
JSObject * 0x00000000, JSObject * 0x00157740) line 1619 + 23 bytes
js_NewFunction(JSContext * 0x00163ca8, JSObject * 0x00000000, int (JSContext *,
JSObject *, unsigned int, long *, long *)* 0x00401020 Version(JSContext *,
JSObject *, unsigned int, long *, long *), unsigned int 0x00000000, unsigned int
0x00000000, JSObject * 0x00157740, JSAtom * 0x0013b3d8) line 1914 + 20 bytes
js_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157740, JSAtom *
0x0013b3d8, int (JSContext *, JSObject *, unsigned int, long *, long *)*
0x00401020 Version(JSContext *, JSObject *, unsigned int, long *, long *),
unsigned int 0x00000000, unsigned int 0x00000000) line 1978 + 31 bytes
JS_DefineFunction(JSContext * 0x00163ca8, JSObject * 0x00157740, const char *
0x004176c4 ??_C@_07BPOH@version?$AA@, int (JSContext *, JSObject *, unsigned
int, long *, long *)* 0x00401020 Version(JSContext *, JSObject *, unsigned int,
long *, long *), unsigned int 0x00000000, unsigned int 0x00000000) line 2816 +
29 bytes
JS_DefineFunctions(JSContext * 0x00163ca8, JSObject * 0x00157740, const
JSFunctionSpec * 0x00418450 shell_functions) line 2798 + 44 bytes
orig_main(int 0x00000004, char * * 0x00301b94) line 2077 + 19 bytes
main(int 0x00000005, char * * 0x00301b90) line 2163 + 13 bytes
mainCRTStartup() line 338 + 17 bytes
|
Assignee | |
Comment 1•24 years ago
|
||
What exactly was the ABR, how far out of bounds for a given allocation? And
where was the allocation being ABR'ed? It couldn't have been the failing calloc
cited by the first stack, that didn't make an allocation.
/be
Summary: OOM in CreateScopeTable crashes js_SearchScope → OOM in CreateScopeTable crashes js_SearchScope
|
|
Reporter | |
Comment 2•24 years ago
|
||
Well, the Purify details look like
[E] ABR: Array bounds read in js_SearchScope {1 occurrence}
Reading 4 bytes from 0x0017df2c (4 bytes at 0x0017df2c illegal)
Address 0x0017df2c is 5 bytes past the end of a 16 byte block at 0x0017df18
Address 0x0017df2c points to a HeapAlloc'd block in the default heap
Thread ID: 0x149
"17df18" is scope->table; "5" is hash1; and "17df2c" is spp. It would seem that
hash1 got too large somehow. The allocation came from
CreateScopeTable [jsscope.c:119]
js_AddScopeProperty [jsscope.c:1145]
js_DefineNativeProperty [jsobj.c:2064]
js_DefineProperty [jsobj.c:1980]
js_DefineFunction [jsfun.c:1982]
JS_DefineFunction [jsapi.c:2816]
JS_DefineFunctions [jsapi.c:2798]
JS_InitClass [jsapi.c:1859]
js_InitFunctionClass [jsfun.c:1870]
InitFunctionAndObjectClasses [jsapi.c:1073]
JS_ResolveStandardClass [jsapi.c:1347]
global_resolve [js.c:1921]
js_LookupProperty [jsobj.c:2230]
FindConstructor [jsobj.c:1716]
GetClassPrototype [jsobj.c:3214]
js_NewObject [jsobj.c:1619]
js_NewFunction [jsfun.c:1914]
js_DefineFunction [jsfun.c:1978]
JS_DefineFunction [jsapi.c:2816]
JS_DefineFunctions [jsapi.c:2798]
orig_main [js.c:2077]
main [js.c:2163]
So perhaps something didn't grow like it should have. Do you want a patch to
build this crash into the jsshell? Or are these tea leaves enough?
--scole
|
|
Reporter | |
Comment 3•24 years ago
|
||
FWIW, this crash signature most closely matches the crashes we were seeing in
our embedding under low-memory conditions, so this crash seems more "real" than
the other OOM bugs I've found.
|
|
Assignee | |
Comment 4•24 years ago
|
||
A dimensional analysis of the size variable in CreateScopeTable shows that it is
inconsistent: size is sometimes bytes (its first assigned value, and when it is
used as a paramter to calloc) but other times a count of the table capacity for
a given sizeLog2. D'oh! Patch next, this bug is mine.
/be
|
|
Assignee | |
Comment 5•24 years ago
|
||
scole, you were right -- this was a real bug not caught during review of the
big patch for bug 62164.
Phil, I think we want this fix in RC4a.
/be
|
|
Assignee | |
Comment 6•24 years ago
|
||
I try not to use size to mean something other than nbytes (sizeof), but fail too
often when it comes to table capacity. The scope->sizeLog2 member is the log2
of the table capacity in entries, not the table size in bytes. So long as this
size idiom is clear, we should be ok. I couldn't bring myself to use
capacityLog2....
/be
|
|
Reporter | |
Comment 7•24 years ago
|
||
This looks good: the patch in attachment 74926 [details] [diff] [review] fixes my crash. Brendan, do you
want my empirical r= or are eyes familiar with this code more appropriate this time?
--scole
|
|
||
Comment 8•24 years ago
|
||
Comment on attachment 74926 [details] [diff] [review]
proposed fix
sr=jband
Attachment #74926 -
Flags: superreview+
|
|
||
Comment 9•24 years ago
|
||
Brendan: saw your comment above; holding off on RC4a until
this is checked in -
|
|
||
Comment 11•24 years ago
|
||
Comment on attachment 74926 [details] [diff] [review]
proposed fix
r=khanson
Attachment #74926 -
Flags: review+
|
|
||
Comment 12•24 years ago
|
||
Comment on attachment 74926 [details] [diff] [review]
proposed fix
a=scc
Attachment #74926 -
Flags: approval+
|
|
Assignee | |
Comment 13•24 years ago
|
||
Fixed.
/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•24 years ago
|
||
Steve, could you mark this Verified if it has fixed things for you?
Thanks -
|
|
Reporter | |
Comment 15•24 years ago
|
||
Heck, I said this patch fixed my problem way back in comment 7. So, yeah, I'll
verify it...
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•