Closed Bug 1285034 Opened 5 years ago Closed 5 years ago
Object's compartment's global may be null when tracing
This can happen if we GC at the wrong place in GlobalObject::create. This would be "fine" except that JSCompartment::global() returns a reference. It is undefined behavior to have a nullptr as a reference, so the compiler is allowed to (and probably does) assume that the reference is non-null. Luckily, the only thing we're using the reference for in the case it's null is to compare to |this|. Since the pointer and reference have the same internal representation and the compiler can't use our mistake to optimize the comparison, I think this will not result in incorrect logic, probably. At least not at the moment. To fix this I've added a new globalForTracing that returns a pointer and made both it an isOwnGlobal take a JSTracer; this should at least make sure the madness stays restricted to the GC.
Attachment #8768569 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2354d420c2ca6b8ecef1c8cc7a1ed17cca6e1bf Bug 1285034 - Do not create a null reference when tracing; r=jonco
You need to log in before you can comment on or make changes to this bug.