Closed Bug 565603 Opened 10 years ago Closed 10 years ago

crash [@ js::SweepScopeProperties] when JS_DHashTableOperate fails

Categories

(Core :: JavaScript Engine, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED INVALID

People

(Reporter: timeless, Assigned: timeless)

References

(Blocks 1 open bug, )

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

760 js::SweepScopeProperties(JSContext *cx)
831                     PropertyRootEntry *newRent =
832                         (PropertyRootEntry *) JS_DHashTableOperate(&newHash, &rkey, JS_DHASH_ADD);

834                     newRent->firstProp = rent->firstProp;

The code here seems to be sensitive to oom in other cases, I believe this case should be too.
Blocks: 497789
Attached patch patchSplinter Review
Assignee: general → timeless
Status: NEW → ASSIGNED
Attachment #445078 - Flags: review?(jorendorff)
Comment on attachment 445078 [details] [diff] [review]
patch

Table is preallocated, so ADD can't fail. No bug here.

/be
Attachment #445078 - Flags: review?(jorendorff) → review-
ah, 

814         uint32 tableSize = JS_DHASH_TABLE_SIZE(&oldHash);
815         JSDHashTable newHash;
816 
817         if (!JS_DHashTableInit(&newHash, &PropertyRootHashOps, NULL,
818                                sizeof(PropertyRootEntry), tableSize)) {
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
Crash Signature: [@ js::SweepScopeProperties]
You need to log in before you can comment on or make changes to this bug.