Closed Bug 620185 Opened 14 years ago Closed 13 years ago

crash [@ Tracker::addTrackerPage] on oom

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: timeless, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: coverity, crash)

Crash Data

Attachments

(1 file)

incomplete markings
7.38 KB, patch
Details | Diff | Splinter Review 
1055 Tracker::addTrackerPage(const void* v)
1058     struct TrackerPage* p = (struct TrackerPage*) js_calloc(sizeof(*p));
1059     p->base = base;
i'm not going to claim ownership of this bug.

this patch shows some of the fan out from this code. i'm entirely uncertain as to which things can actually fail so i probably got most of them wrong.
Attachment #498594 - Flags: feedback?(gal)
Comment on attachment 498594 [details] [diff] [review]
incomplete markings

>@@ -3849,10 +3857,10 @@ TraceRecorder::checkForGlobalObjectReall
>     LIns** map = (LIns**)alloca(sizeof(LIns*) * length);
>     for (jsuint n = 0; n < length; ++n) {
>         map[n] = tracker.get(src);
>-        tracker.set(src++, NULL);
>+        JS_ALWAYS_TRUE(tracker.set(src++, NULL));
>     }

JS_ALWAYS_TRUE is a synonym for JS_ASSERT -- no side-effects in assertions, please! :)
(In reply to comment #2)
> 
> JS_ALWAYS_TRUE is a synonym for JS_ASSERT -- no side-effects in assertions,
> please! :)

mrbkap politely pointed out I'm wrong about this -- under opt builds, JS_ALWAYS_TRUE is not removed, so the above code is ok.  Sorry for the noise.
Crash Signature: [@ Tracker::addTrackerPage]
Tracer has been removed.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Attachment #498594 - Flags: feedback?(gal)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: