363059 - out-of-memory recovery in jslock.c changes execution semantic without notice

Status: RESOLVED INVALID

(Core :: JavaScript Engine, defect)

Description

[Igor Bukanov]

Currently, when js_UndependString fails to make string independent, jslock.c recovers from that by storing void in object's slot for the object shared among threads. But this changes execution semantic for scripts unpredictably. It would be nice if the failure would be properly propagated.

If that is not possible due to API compatibility requirements (OBJ_SET_SLOT can not fail!), then at least triggering exception throwing when the control returns back to the script can be an option. Alternatively a thread-safe version of dependant string can be considered.

I am making this bug to depend on the related bug 363057 since fixing that can simplify fixing this problem.

Comment 1

[Igor Bukanov]

A possible way to resolve this is to allow immutable dependent strings. Then MakeStringImmune would be infallible.

Comment 2

[john]

Is this bug a reflection of the behavior at bugs: 392187 and 393045

Thought I might raise the question to you all....

Comment 3

[Igor Bukanov]

(In reply to comment #2)
> Is this bug a reflection of the behavior at bugs: 392187 and 393045

repeating so bugzilla turns the numbers into links: 
bug 392187 and bug 393045

Comment 4

[Igor Bukanov]

(In reply to comment #2)
> Is this bug a reflection of the behavior at bugs: 392187 and 393045

With very high probability the answer is no. This bug should not cause FF to crash. It symptoms would be unexpected null in scripts where the scripts assumes that the value is string. This should not lead to crashes itself.

Comment 5

[Igor Bukanov]

I am not working on this.

Comment 6

[Luke Wagner [:luke]]

jslock was removed