239785 – JSC shouldn't crash when we run out of structure address space but throw OOM

Bug 239785 - JSC shouldn't crash when we run out of structure address space but throw OOM

Summary: JSC shouldn't crash when we run out of structure address space but throw OOM

Status:	NEW

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	New Bugs (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Keith Miller

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2022-04-26 13:17 PDT by Keith Miller
Modified:	2022-05-03 13:18 PDT (History)
CC List:	7 users (show)

See Also:

Attachments
Patch (10.68 KB, patch) 2022-04-26 13:21 PDT, Keith Miller	no flags	Details \| Formatted Diff \| Diff
Patch (12.61 KB, patch) 2022-04-26 19:26 PDT, Keith Miller	msaboff: review+	Details \| Formatted Diff \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Keith Miller 2022-04-26 13:17:27 PDT

JSC shouldn't crash when we run out of structure address space but throw OOM

Comment 1 Keith Miller 2022-04-26 13:21:23 PDT

Created attachment 458392 [details]
Patch

Comment 2 Yusuke Suzuki 2022-04-26 13:33:47 PDT

Comment on attachment 458392 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458392&action=review

> Source/JavaScriptCore/runtime/JSObjectInlines.h:421
> +    if (!newStructure) {

Currently, caller of putDirect etc. does not check exception. So I don’t think we can throw it safely without changing all the callers of putDirect.

Comment 3 Mark Lam 2022-04-26 13:38:44 PDT

Comment on attachment 458392 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458392&action=review

> Source/JavaScriptCore/runtime/JSObjectInlines.h:422
> +        auto scope = DECLARE_THROW_SCOPE(vm);

The proper idiom would be to put this decl at the top of the function.  Otherwise, callers won't always be informed that this function may throw.

Comment 4 Keith Miller 2022-04-26 19:26:37 PDT

Created attachment 458412 [details]
Patch

Comment 5 Michael Saboff 2022-04-27 08:31:32 PDT

Comment on attachment 458412 [details]
Patch

r=me

Comment 6 Mark Lam 2022-04-27 10:46:33 PDT

Comment on attachment 458412 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458412&action=review

> Source/JavaScriptCore/runtime/JSObjectInlines.h:423
> +        auto scope = DECLARE_THROW_SCOPE(vm);

This is still in the wrong place.  This means there will be fall out from unchecked exceptions that go undetected.

Comment 7 Saam Barati 2022-04-27 11:08:47 PDT

Comment on attachment 458412 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=458412&action=review

>> Source/JavaScriptCore/runtime/JSObjectInlines.h:423
>> +        auto scope = DECLARE_THROW_SCOPE(vm);
> 
> This is still in the wrong place.  This means there will be fall out from unchecked exceptions that go undetected.

yes, agreed.

Comment 8 Yusuke Suzuki 2022-04-27 11:10:26 PDT

There are many places we cannot fail. One example is JSGlobalObject initialization, which will create bunch of Structures. I wonder if throwing OOM will cause fallout in various places.

Comment 9 Radar WebKit Bug Importer 2022-05-03 13:18:13 PDT

<rdar://problem/92688938>