get_all_msg_headers(): cold *_NULL fields read undefined via dot-acces

BBS:      TELESC.NET.BR
Assunto:  get_all_msg_headers(): cold *_NULL fields read undefined via dot-acces
De:       Rob Swindell
Data:     Thu, 21 May 2026 16:32:33 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/issues/1143#note_8993

**OOM / allocation-failure (#1144) ruled out as the trigger for this symptom**

Tested the open question of whether allocation failure (`JS_NewStringCopyZ`  NULL under heap pressure, the LAZY_* fall-through path described in #1144) is what produces the cold-`to_ext`-undefined here. Two independent lines of evidence say no:

**1. Heap invariance.** Ran the cold/primed probe against the live mail base at three heap sizes (`jsexec -m`): 16 MB (default), 256 MB, 1 GB. Bit-identical results every time:

| heap | total | cold to_ext undef | BUG mismatches | cold defined-but-wrong |
|------|-------|-------------------|----------------|------------------------|
| 16 MB | 7294 | 7193 | 6971 | 0 |
| 256 MB | 7294 | 7193 | 6971 | 0 |
| 1 GB | 7294 | 7193 | 6971 | 0 |

If allocation pressure were the trigger, a 64 larger heap would relieve it and the count would drop  it didn't move by a single header. An OOM-driven failure would also be non-deterministic (GC timing / high-water mark dependent); this is fully deterministic.

**2. GETELEM returns the real string** (decisive, heap-independent). If `JS_NewStringCopyZ` had returned NULL, the string would never exist and the property would never be defined  so `hdr["to_ext"]` (JSOP_GETELEM) would *also* read undefined. But GETELEM returns the correct value (`to_ext` undef = 213 = the true NULL count), while `hdr.to_ext` (JSOP_GETPROP) reads undefined. The string **was** allocated and the property **was** defined; only the GETPROP property-cache lookup path fails.

So the symptom in this issue is the `JSOP_GETPROP` property-cache mispredict across same-shape headers, not the #1144 allocation-failure path.

**This does not invalidate #1144.** The unchecked `JS_*` returns are a separable, real latent defect that would bite under genuine allocation pressure (and silently swallow the pending exception), exactly as described there  it's just not the mechanism firing in this reproduction.
--- SBBSecho 3.37-Linux
 * Origin: Vertrauen - [vert/cvs/bbs].synchro.net (1:103/705)

-----------------------------------------------------------
[Voltar]