Disallow JS execution while iterating over the JS heap

NEW
Unassigned

Status

()

Core
JavaScript Engine
3 years ago
3 years ago

People

(Reporter: njn, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
The JS memory reporter iterates over the JS heap. While this is happening it's vital that no JS code executes, otherwise we can get crashes like bug 1103375's. There are some ad hoc mechanisms in there but something general would be better.

mrbkap suggested this:

> One other idea would be to set a bit somewhere in XPConnect when we're
> iterating the JS heap and to refuse (in nsXPCWrappedJSClass) to call back
> into JS from C++ (we'd probably want to assert in debug builds as well as
> throwing in optimized builds) when the bit is set. That way, other bugs
> like this wouldn't crash us.
There are some existing RAII classes that forbid running JS, though I'm not sure they fail gracefully.
You need to log in before you can comment on or make changes to this bug.