Closed Bug 60164 Opened 24 years ago Closed 24 years ago

Out of memory exceptions can cause SEGV when there is no memory recovered from garbage collection.

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
Sun
Solaris
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: justin, Assigned: rogerl)

References

Details

(Keywords: js1.5)

Attachments

(1 file)

Added missing error checks (and re-wrote another to match)
1.47 KB, patch
Details | Diff | Splinter Review 
When an out of memory exception occurs, and there really is no more memory, 
with JS_HAS_ERROR_EXCEPTIONS:

js_ErrorToException attempts to create a new object to hold this exception in. 
This is not checked for failure (and neither is the NewStringCopyZ that 
immediately follows it). This isn't a major problem, however, as the 
js_NewObject creation will never return. The allocation is attempted but 
returns an out of memory error, which causes an exception...
Eventually the code I have runs out of stack and aborts with SEGV.

JavaScript:
function Thing()
{
  this.bingle = 77;
}

lots = new Array;
count = 0;
while (count++ < 20000)
{
  lots[count]=new Thing;
}

JS engine is initialised with runtime=JS_NewRuntime(1024*128), because I wanted 
to check the stability of the engine when memory was tight.

Backtrace whilst the exceptions are occuring show the path as being :
ReportError
JS_ReportErrorNumberVA
JS_ReportErrorNumber
JS_ReportOutOfMemory
js_AllocGCThing
js_NewObject
js_ErrorToException
ReportError

I would expect a problem like this to report an out of memory error without the 
exception mechanism.
cc'ing JS Engine team  - compare bug 46196
Status: UNCONFIRMED → NEW
Ever confirmed: true
What version of Mozilla was this reported against?  I thought rogerl's fix for
46196 went into the trunk. OTOH, the unchecked calls to js_NewObject and
JS_NewStringCopyZ should have been fixed with that bug, but weren't.  So at
least those unchecked calls still need to be fixed.

Phil, did you verify 46196 yet?

/be
Apologies; I've just checked against the fixes applied to the trunk and it 
seems my source is outdated with regard to it. Sorry for the duplicate report
:-(

No worries.  I think this bug should stay open and be used to fix the unchecked
js_NewObject and JS_NewStringCopyZ calls.

/be
Keywords: js1.5
Adding patch to check newObject and StringCopyZ calls..
Status: NEW → ASSIGNED
mccabe, can you r=?  I'll sr=.

/be
r=mccabe
Fix checked in.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking Verified -
Status: RESOLVED → VERIFIED
*** Bug 70332 has been marked as a duplicate of this bug. ***
*** Bug 70332 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: