Closed
Bug 96128
Opened 23 years ago
Closed 20 years ago
stack overflow crash with infinite recursion
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 220408
People
(Reporter: jband_mozilla, Assigned: khanson)
References
Details
(Keywords: crash, js1.5, Whiteboard: Is this related to bug #96526?)
Attachments
(2 files)
1.02 KB,
patch
|
Details | Diff | Splinter Review | |
1.01 KB,
patch
|
Details | Diff | Splinter Review |
The JS infinite recursion protection is built into the bytecode interpreter loop is not catching some cases. See: http://lxr.mozilla.org/seamonkey/ident?i=MAX_INTERP_LEVEL On NT4 the simple code... function T(){return new T();}; T() ...causes a stack overflow crash in debug builds of both the browser and the shell. In the release builds this is safely caught by the "too much recursion" mechanism. If I remove the 'new' from the code above this is safely caught in both debug and release builds. The 'new' causes a lookup for the Constructor name and seems to (at least) double the number of items on the C stack for the given interpLevel depth. I suspect we are simply running afoul of the number chosen for the hard limit here and should lower the #define'd value of MAX_INTERP_LEVEL. I'm not clear on exactly what cases the inline call stuff is kicked in, so I don't know if MAX_INLINE_CALL_COUNT is at issue also. Changing MAX_INTERP_LEVEL to 250 makes it not crash for me. (Changing it to 500 did not fix the crash). Such a change may simply be a bandaid; there may be a more appropriate fix.
Comment 1•23 years ago
|
||
Ick. This number might have to be tuned for different OSes, or even for different versions of the same OS! Perhaps we should just reduce (if not eliminate) interpreter recursion, _a la_ the inline_call: stuff. /be
Comment 3•23 years ago
|
||
jband's testcase added to JS test suite: mozilla/js/tests/js1_5/Regress/regress-96128-n.js On WinNT, I experience what jband saw: the debug JS shell crashes, but the optimized JS shell gracefully errors with exit code 3 and this message: InternalError: too much recursion On Linux, I am getting the graceful error in both the debug and optimized JS shells...
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.8
Assignee | ||
Updated•23 years ago
|
Whiteboard: Is thiss related to bug #96526
Assignee | ||
Updated•23 years ago
|
Whiteboard: Is thiss related to bug #96526 → Is this related to bug #96526?
Assignee | ||
Updated•23 years ago
|
Target Milestone: mozilla0.9.9 → mozilla1.0.1
Assignee | ||
Comment 5•22 years ago
|
||
Sets the MAX_INTERP_LEVEL to 320. For the Mac the level is also screened for a low stack space dynamically using a call to StackSpace (). For the test case above, the Mac halts at a level of 99. It would be very useful to find a function like StackSpace () for the non Mac version.
Comment 6•22 years ago
|
||
Is 16K based on anything, or just a SWAG? It seems big for a "red zone", but I don't know what else to use -- my gut would favor 8K. Can we measure, perhaps disassemble compiled to see frame sizes by finding stack pointer adjustment code? /be
Keywords: js1.5,
mozilla1.2
Assignee | ||
Comment 7•22 years ago
|
||
I tried 10k and it crashed. It is the value used by a similar code snippet in jsregexp.c.
Comment 8•22 years ago
|
||
Oh, I hadn't seen that jsregexp.c code. Rogerl, how'd you come up with that magic 16K? Should we enshrine it with a common macro so khanson can use it in jsinterp.c? /be
Reporter | ||
Comment 9•22 years ago
|
||
I know of no StackSize equiv for Win32 or Linux. There is an article about Win32 stacks at: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/prothred_0b8l.asp The normal way to deal with this sort of problem on Win32 is reactive rather than proactive: wrap the doubtful code with a structured exception handler and handle the case where the system was unable to give you more stack space. *How* you go about handling it and what state things are left in is a messy problem though. It appears that a Win32 version of StackSize would not be hard to write. The Platform SDK has headers for NT_TIB (thread info block) which has members: StackBase and StackLimit. Apparently this block is always pointed to by an offset from the FS register. Of course the current stack pointer is always in a register. I *assume* that the limit it refers to is the *reserved* memory limit. So, it is possible that actually committing stack memory might fail before the limit is reached. I don't know if these things are identical across Win32 platforms (e.g. Win95 v. Win200 etc). Again, if it *really* makes sense to try to adaptively cope with stack overflow in the js interp loop for Win32 then appropriately placed structured exception handling may be worth investigating. On the issue of the choice of magic numbers... I would expect less per function stack use in a release build... We should not limit the release builds with 'red zones' sized for debug builds. Do we have a reasonable way to estimate limiting stack requirements at the interp loop level? Or is it 'OK' to just try it with some arbitrary bit of nesting code?
Assignee | ||
Comment 10•22 years ago
|
||
I will try to determine the correct size of the red zone in various environments. Note, it should be large enough to provide the stack and heap necessary for a graceful exit.
Comment 11•22 years ago
|
||
*** Bug 157434 has been marked as a duplicate of this bug. ***
Comment 12•22 years ago
|
||
(Sorry - on vacation, so not checking email very often). The stack sniffing code came from Beard & Waldemar. I'm not sure, but I think the 16K is the default stack size given to a Mac application by the Finder (back in the good old days). The (candidate) new engine doesn't use the same code since it doesn't recurse on the stack, but macro-fying the code snippet seems like a handy thing to do for the major recursion sensitive passes.
Comment 13•22 years ago
|
||
I reported a similar bugs unchecked stack overflow during recursion in parser, regexp parser and toSource implementation: see bug 192414 and bug 192465. It seems having StackSize available would be a proper remedy for this.
Comment 14•21 years ago
|
||
Igor, sorry this dropped off my radar. Can it wait till 1.6alpha? /be
Comment 15•21 years ago
|
||
Perhaps it makes sence to use SpaceSize on Mac when limitting maximal stack consumption instead of compilation-time limit set by JS_DEFAULT_STACK_SIZE_LIMIT? This is completely untested since I do not have access to any MAC.
Comment 16•21 years ago
|
||
I don't know that StackSpace() returns anything useful in Mach-O. It might not. Can we measure stack depth by referring to the address of some variable on the stack in the frame for a non-recursing function?
Updated•20 years ago
|
Keywords: mozilla1.2 → crash
Comment 17•20 years ago
|
||
This is now a dup of bug 220408. /be *** This bug has been marked as a duplicate of 220408 ***
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•