Closed
Bug 1285034
Opened 8 years ago
Closed 8 years ago
GlobalObject's compartment's global may be null when tracing
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: terrence, Assigned: terrence)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
4.47 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
This can happen if we GC at the wrong place in GlobalObject::create. This would be "fine" except that JSCompartment::global() returns a reference. It is undefined behavior to have a nullptr as a reference, so the compiler is allowed to (and probably does) assume that the reference is non-null. Luckily, the only thing we're using the reference for in the case it's null is to compare to |this|. Since the pointer and reference have the same internal representation and the compiler can't use our mistake to optimize the comparison, I think this will not result in incorrect logic, probably. At least not at the moment.
To fix this I've added a new globalForTracing that returns a pointer and made both it an isOwnGlobal take a JSTracer; this should at least make sure the madness stays restricted to the GC.
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8768569 -
Flags: review?(jcoppeard)
Updated•8 years ago
|
Attachment #8768569 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 2•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2354d420c2ca6b8ecef1c8cc7a1ed17cca6e1bf
Bug 1285034 - Do not create a null reference when tracing; r=jonco
Comment 3•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•