Closed Bug 1124738 Opened 5 years ago Closed 5 years ago

Rooting hazard in CClosure::Create()

Categories

(Core :: JavaScript: GC, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla38

People

(Reporter: jonco, Assigned: jonco)

Details

Attachments

(1 file)

Rooting hazard revealed after landing bug 1124195.

Function '_ZN2js6ctypes8CClosure6CreateEP9JSContextN2JS6HandleIP8JSObjectEES8_S8_NS4_5ValueEPPFvvE|JSObject* js::ctypes::CClosure::Create(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSObject*>, class JS::Handle<JSObject*>, JS::Value, (void)()**)())' has unrooted 'cinfo' of type 'class mozilla::UniquePtr<js::ctypes::ClosureInfo, JS::DeletePolicy<js::ctypes::ClosureInfo> >' live across GC call '_Z15JS_GetPrototypeP9JSContextN2JS6HandleIP8JSObjectEENS1_13MutableHandleIS4_EE|uint8 JS_GetPrototype(JSContext*, class JS::Handle<JSObject*>, class JS::MutableHandle<JSObject*>)' at js/src/ctypes/CTypes.cpp:6096
    js/src/ctypes/CTypes.cpp:6088: Assume(39,45, null(__temp_20.__pfn*), false)
    js/src/ctypes/CTypes.cpp:6095: Call(45,46, __temp_21*.GuardObjectNotifier(0))
    js/src/ctypes/CTypes.cpp:6095: Call(46,47, proto.Rooted(cx*,__temp_21))
    js/src/ctypes/CTypes.cpp:6095: Call(47,48, __temp_21.~GuardObjectNotifier())
    js/src/ctypes/CTypes.cpp:6096: Assign(48,49, __temp_23 := typeObj*)
    js/src/ctypes/CTypes.cpp:6096: Call(49,50, __temp_24*.MutableHandle(0,proto))
    js/src/ctypes/CTypes.cpp:6096: Call(50,51, __temp_22 := JS_GetPrototype(cx*,__temp_23*,__temp_24*)) [[GC call]]
    js/src/ctypes/CTypes.cpp:6096: Assume(51,52, !__temp_22*, true)
    js/src/ctypes/CTypes.cpp:6097: Assign(52,53, return := 0)
    js/src/ctypes/CTypes.cpp:6097: Call(53,54, proto.~Rooted())
    js/src/ctypes/CTypes.cpp:6097: Call(54,55, cinfo.~ClosureInfo> >())
GC Function: _Z15JS_GetPrototypeP9JSContextN2JS6HandleIP8JSObjectEENS1_13MutableHandleIS4_EE|uint8 JS_GetPrototype(JSContext*, class JS::Handle<JSObject*>, class JS::MutableHandle<JSObject*>)
    uint8 js::GetPrototype(JSContext*, class JS::Handle<JSObject*>, class JS::MutableHandle<JSObject*>)
    uint8 js::Proxy::getPrototypeOf(JSContext*, class JS::Handle<JSObject*>, class JS::MutableHandle<JSObject*>)
    uint8 js::CrossCompartmentWrapper::getPrototypeOf(JSContext*, class JS::Handle<JSObject*>, class JS::MutableHandle<JSObject*>) const
    uint8 JSCompartment::wrap(JSContext*, class JS::MutableHandle<JSObject*>, class JS::Handle<JSObject*>)
    FieldCall: JSWrapObjectCallbacks.preWrap
Attachment #8553232 - Flags: review?(sphink)
Comment on attachment 8553232 [details] [diff] [review]
bug1124738-ctypes-hazard

Review of attachment 8553232 [details] [diff] [review]:
-----------------------------------------------------------------

Sorry, I didn't notice when this review request came in. I hadn't realized the errResult thing wasn't just a simple type.
Attachment #8553232 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/468c1db9e338
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in before you can comment on or make changes to this bug.