Open Bug 988045 Opened 11 years ago Updated 1 year ago

Static and/or dynamic analysis to find SM error handling bugs

Categories

(Core :: JavaScript Engine, enhancement, P5)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

People

(Reporter: jorendorff, Unassigned)

References

(Blocks 1 open bug)

Details

I can start with finding places where we're missing a JS_CHECK_RECURSION, since that should be evident from the call graph. What I'm really after is stupid bugs where we don't check for an error at all, or we check but then control flows back out of the `if (!)` block without doing actual error handling. Harder to catch: a case where we do check, and we *do* return false or null, but we leave bad state on the JS heap. Hmm.
Competing idea: jseward mentioned you could write a valgrind tool to detect when a pointer flows from an allocation function to a read or write, without first controlling a conditional branch. Dynamic, not static, but you wouldn't actually have to trigger OOM in order to test for it. Not sure that'd be worth the substantial time investment. Our error handling rules are not simple enough. Not simple enough for computers and evidently not simple enough for people.
Summary: Static analysis to find SM error handling bugs → Static and/or dynamic analysis to find SM error handling bugs
Assignee: general → nobody
Severity: normal → S3

Steve was recently asking for ideas on what we could potentially do with the call graph that is extracted when doing the rooting analysis.
This could be one of such idea.

Blocks: sm-testing
Severity: S3 → N/A
Type: defect → enhancement
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.