If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Out of memory exceptions can cause SEGV when there is no memory recovered from garbage collection.

VERIFIED FIXED

Status

()

Core
JavaScript Engine
P3
critical
VERIFIED FIXED
17 years ago
16 years ago

People

(Reporter: Justin Fletcher, Assigned: rogerl (gone))

Tracking

({js1.5})

Trunk
Sun
Solaris
js1.5
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

17 years ago
When an out of memory exception occurs, and there really is no more memory, 
with JS_HAS_ERROR_EXCEPTIONS:

js_ErrorToException attempts to create a new object to hold this exception in. 
This is not checked for failure (and neither is the NewStringCopyZ that 
immediately follows it). This isn't a major problem, however, as the 
js_NewObject creation will never return. The allocation is attempted but 
returns an out of memory error, which causes an exception...
Eventually the code I have runs out of stack and aborts with SEGV.

JavaScript:
function Thing()
{
  this.bingle = 77;
}

lots = new Array;
count = 0;
while (count++ < 20000)
{
  lots[count]=new Thing;
}

JS engine is initialised with runtime=JS_NewRuntime(1024*128), because I wanted 
to check the stability of the engine when memory was tight.

Backtrace whilst the exceptions are occuring show the path as being :
ReportError
JS_ReportErrorNumberVA
JS_ReportErrorNumber
JS_ReportOutOfMemory
js_AllocGCThing
js_NewObject
js_ErrorToException
ReportError

I would expect a problem like this to report an out of memory error without the 
exception mechanism.

Comment 1

17 years ago
cc'ing JS Engine team  - compare bug 46196

Status: UNCONFIRMED → NEW
Ever confirmed: true
What version of Mozilla was this reported against?  I thought rogerl's fix for
46196 went into the trunk. OTOH, the unchecked calls to js_NewObject and
JS_NewStringCopyZ should have been fixed with that bug, but weren't.  So at
least those unchecked calls still need to be fixed.

Phil, did you verify 46196 yet?

/be
(Reporter)

Comment 3

17 years ago
Apologies; I've just checked against the fixes applied to the trunk and it 
seems my source is outdated with regard to it. Sorry for the duplicate report
:-(
No worries.  I think this bug should stay open and be used to fix the unchecked
js_NewObject and JS_NewStringCopyZ calls.

/be

Updated

17 years ago
Keywords: js1.5
(Assignee)

Comment 5

17 years ago
Adding patch to check newObject and StringCopyZ calls..
Status: NEW → ASSIGNED
(Assignee)

Comment 6

17 years ago
Created attachment 19809 [details] [diff] [review]
Added missing error checks (and re-wrote another to match)
mccabe, can you r=?  I'll sr=.

/be

Comment 8

17 years ago
r=mccabe
a=brendan@mozilla.org.

/be
(Assignee)

Comment 10

17 years ago
Fix checked in.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 11

17 years ago
Marking Verified -
Status: RESOLVED → VERIFIED

Comment 12

17 years ago
*** Bug 70332 has been marked as a duplicate of this bug. ***

Comment 13

17 years ago
*** Bug 70332 has been marked as a duplicate of this bug. ***
You need to log in before you can comment on or make changes to this bug.