On 04/21/2016 05:16 PM, Jan de Mooij wrote:
Is our only option doubling down on these fuzz bugs and adding more assertions, or can we do better with static analysis, the type system, annotations, something?
From the type system point of view, I think we could add a type to distinguish the Allocation failures from boolean types. In many cases, I found that we were mixing the true/false expectation of an analysis, with the true/false of an allocations.
Using the type system would involve making a lot of modifications to the code base, either to wrap/unwrap error code, or to add new enumerated types. I think this could be a good long term solution, but hardly a way to make incremental progress.
A static analysis is probably the easiest way forward, and it should ensure that same value (false / Foo::ALLOC_ERROR) is always used to identify allocation failures within a single function.
This means that an analysis should probably: (1) Go through the body of functions, and look for values returned in case of allocation failures. (2) Annotate the function declaration with the value used on allocation failures. (3) Revisit by going to 1. any of the functions which are using any of the annotated function declarations. (4) Ensure that virtual functions have consistent error values.
This would leave the question of function pointers, but I guess this is something we can easily address either by review or with annotations.
-- Nicolas B. Pierron _______________________________________________ dev-tech-js-engine-internals mailing list dev-tech-js-engine-internals@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-js-engine-internals
