Closed Bug 1600019 Opened 6 years ago Closed 6 years ago

Missing OOM handling in registerWithFinalizationGroup and uninitialised FinalizationRecordVectorObject when tracing

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla72

Tracking Flags:

Tracking

Status

firefox72

---

fixed

People

(Reporter: anba, Assigned: anba)

Details

Attachments

(5 files)

Bug 1600019 - Part 1: Handle OOM in registerWithFinalizationGroup. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 2: Handle the case when FinalizationRecordVectorObject's records slot is uninitialised. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 3: Use NewObjectWithGivenProto when \|prototype\| argument is guaranteed to be non-null. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 4: Prefer js::Call over JS::Call for engine-internal calls. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 5: Avoid rooting a handle-value. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review

André Bargull [:anba]

Assignee

Description

•

6 years ago

This test case asserts with Assertion failure: cx->isExceptionPending() (Thunk execution failed but no exception was raised - missing call to js::ReportOutOfMemory()?):

let group = new FinalizationGroup(x => 0);
let target = {};
let token = {};
oomTest(() => group.register(target, 1, token));

This test case asserts with Assertion failure: isDouble():

enableShellAllocationMetadataBuilder();
evaluate(`
  var group = new FinalizationGroup(x => 0);
  gczeal(9,3);
  group.register({}, 1, {});
`);

André Bargull [:anba]

Assignee

Comment 1

•

6 years ago

Attached file Bug 1600019 - Part 1: Handle OOM in registerWithFinalizationGroup. r=jonco! — Details

André Bargull [:anba]

Assignee

Comment 2

•

6 years ago

Attached file Bug 1600019 - Part 2: Handle the case when FinalizationRecordVectorObject's records slot is uninitialised. r=jonco! — Details

Depends on D55086

André Bargull [:anba]

Assignee

Comment 3

•

6 years ago

Attached file Bug 1600019 - Part 3: Use NewObjectWithGivenProto when |prototype| argument is guaranteed to be non-null. r=jonco! — Details

NewObjectWithClassProto when called with a non-null prototype calls NewObjectWithGivenTaggedProto,
but that function can be called more directly through NewObjectWithGivenProto.

Depends on D55087

André Bargull [:anba]

Assignee

Comment 4

•

6 years ago

Attached file Bug 1600019 - Part 4: Prefer js::Call over JS::Call for engine-internal calls. r=jonco! — Details

js::Call avoids copying the arguments into a separate InvokeArgs struct,
therefore it's generally preferred for calls within SpiderMonkey.

Depends on D55088

André Bargull [:anba]

Assignee

Comment 5

•

6 years ago

Attached file Bug 1600019 - Part 5: Avoid rooting a handle-value. r=jonco! — Details

Depends on D55089

Jon Coppeard (:jonco)

Updated

•

6 years ago

Priority: -- → P1

Pulsebot

Comment 6

•

6 years ago

Pushed by dluca@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/889b0858a957 Part 1: Handle OOM in registerWithFinalizationGroup. r=jonco https://hg.mozilla.org/integration/autoland/rev/ad0a7949dd8e Part 2: Handle the case when FinalizationRecordVectorObject's records slot is uninitialised. r=jonco https://hg.mozilla.org/integration/autoland/rev/bc921ac2bd1b Part 3: Use NewObjectWithGivenProto when |prototype| argument is guaranteed to be non-null. r=jonco https://hg.mozilla.org/integration/autoland/rev/3de775ee7d0e Part 4: Prefer js::Call over JS::Call for engine-internal calls. r=jonco https://hg.mozilla.org/integration/autoland/rev/273f738dab5f Part 5: Avoid rooting a handle-value. r=jonco

Andrei Ciure[:aciure]

Comment 7

•

6 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/889b0858a957
https://hg.mozilla.org/mozilla-central/rev/ad0a7949dd8e
https://hg.mozilla.org/mozilla-central/rev/bc921ac2bd1b
https://hg.mozilla.org/mozilla-central/rev/3de775ee7d0e
https://hg.mozilla.org/mozilla-central/rev/273f738dab5f

Status: ASSIGNED → RESOLVED

Closed: 6 years ago

status-firefox72: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla72

You need to log in before you can comment on or make changes to this bug.

Bug 1600019 - Part 1: Handle OOM in registerWithFinalizationGroup. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 2: Handle the case when FinalizationRecordVectorObject's records slot is uninitialised. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 3: Use NewObjectWithGivenProto when \|prototype\| argument is guaranteed to be non-null. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 4: Prefer js::Call over JS::Call for engine-internal calls. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review
Bug 1600019 - Part 5: Avoid rooting a handle-value. r=jonco! 6 years ago André Bargull [:anba] 47 bytes, text/x-phabricator-request		Details \| Review

Bugzilla

Missing OOM handling in registerWithFinalizationGroup and uninitialised FinalizationRecordVectorObject when tracing

Categories

(Core :: JavaScript: GC, defect, P1)

Tracking

()

People

(Reporter: anba, Assigned: anba)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(5 files)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Comment 5

Updated

Comment 6

Comment 7

Attachment

General

Description

File Name

Content Type