Closed Bug 1285034 Opened 5 years ago Closed 5 years ago

GlobalObject's compartment's global may be null when tracing

Categories

(Core :: JavaScript: GC, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: terrence, Assigned: terrence)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

This can happen if we GC at the wrong place in GlobalObject::create. This would be "fine" except that JSCompartment::global() returns a reference. It is undefined behavior to have a nullptr as a reference, so the compiler is allowed to (and probably does) assume that the reference is non-null. Luckily, the only thing we're using the reference for in the case it's null is to compare to |this|. Since the pointer and reference have the same internal representation and the compiler can't use our mistake to optimize the comparison, I think this will not result in incorrect logic, probably. At least not at the moment.

To fix this I've added a new globalForTracing that returns a pointer and made both it an isOwnGlobal take a JSTracer; this should at least make sure the madness stays restricted to the GC.
Attachment #8768569 - Flags: review?(jcoppeard)
Attachment #8768569 - Flags: review?(jcoppeard) → review+
https://hg.mozilla.org/mozilla-central/rev/b2354d420c2c
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.