Closed Bug 418561 Opened 16 years ago Closed 16 years ago

MakeArraySlow() does thread-unsafe set of JSClass slot.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 419537
Milestone:
mozilla1.9

People

(Reporter: jst, Assigned: crowderbt)

Details

Attachments

(1 file)

coherent class flags at all times
1.51 KB, patch
shaver
: review+
jst
: approval1.9+
Details | Diff | Splinter Review 
http://lxr.mozilla.org/mozilla/source/js/src/jsarray.c#1081

Link pretty much says it all, multi-instruction set of obj->fslots[JSSLOT_CLASS], a racing thread could end up getting a null class, which is supposed to be impossible.

Shaver gets this one per discussion on irc.
Flags: blocking1.9+
Assignee: general → shaver
Assignee: shaver → crowder
Status: NEW → ASSIGNED

        Attachment #304401 -
        Flags: review?(brendan)

    
  
Version: unspecified → Trunk

    
    

    
  
Comment on attachment 304401 [details] [diff] [review]
coherent class flags at all times

r=shaver

        Attachment #304401 -
        Flags: review?(brendan)

        Attachment #304401 -
        Flags: review+

        Attachment #304401 -
        Flags: approval1.9?

    
  

        Attachment #304401 -
        Flags: approval1.9? → approval1.9+

    
    

    
  
Comment on attachment 304401 [details] [diff] [review]
coherent class flags at all times

This still isn't thread-safe -- you want the ensemble change to obj to be atomic.

/be

    
    

    
  
Not sure how to make that whole transition atomic WRT racing STOBJ_GET_CLASS, off-hand, but I'll sleep on it some more.  We definitely need to sprinkle some threadsafety dust on arrays, which will include locking around the bulk of MakeArraySlow, so maybe it's not worth fixing this independently?  Even with that, though, STOBJ_GET_CLASS explicitly doesn't participate in the locking protocol, so it will still race.

We need the atomic update of JSSLOT_CLASS to keep STOBJ_GET_CLASS from seeing NULL, but any more involved use of the clasp will require that the caller do the right thing with title locking...

    
    

    
  
Moving bugs that aren't beta 4 blockers to target final release.
Target Milestone: mozilla1.9beta4 → mozilla1.9

    
    

    
  
taking this off the blocking the list.  There are bigger bugs tracking the general problem.
Flags: tracking1.9+

    
    

    
  
Going to just dupe this forward to bug 419537, which is the meta shavarray thread-safety bug.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: