Closed Bug 1608283 Opened 5 years ago Closed 5 years ago

[jsdbg2] js::DebugAPI::slowPathOnNewScript ignores OOMs without the proper ceremony

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jimb, Unassigned)

Details

This is maybe more of a question than a for-sure bug, but the code doesn't make sense to me:

js::DebugAPI::slowPathOnNewScript ignores OOM reports from js::Debugger::dispatchHook with the following code:

  // dispatchHook may fail due to OOM. This OOM is not handlable at the
  // callsites of onNewScript in the engine.
  if (resumeMode == ResumeMode::Terminate) {
    cx->clearPendingException();
    return;
  }

The OOM injection testing machinery verifies that every OOM it injects is actually propagated out as an exception, and this would appear to break that rule, so we should be able to detect this with oomTest. (This verification is disabled under --fuzzing-safe, so that explains why fuzzers haven't found it.)

Okay, this is a misunderstanding on my part.

Conditions like OOM can be legitimately ignored under some circumstances (including, hopefully, the one above). What the OOM injection machinery tests is not that all OOMs get propagated forever, but that either it gets propagated and an exception is set, or it gets caught and no exception is set. The thinking was, if code fails to propagate failure, then the presence of the exception on the cx but a successful completion will give it away. Since slowPathOnNewScript calls clearPendingException, it does not run afoul of this check.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.