Closed
Bug 418041
Opened 18 years ago
Closed 17 years ago
js_TransferTitle can be called with not-quite-null "oldtitle" argument
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: jorendorff, Unassigned)
Details
jsscope.c, lines 77-78, in function js_GetMutableScope:
> scope = (JSScope *) js_DropObjectMap(cx, &scope->map, obj);
> JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope);
jslock.h, lines 188-189:
> #define JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope) \
> js_TransferTitle(cx, &scope->title, &newscope->title)
jslock.c, lines 1155 ff., in function js_TransferTitle:
> /*
> * If the last reference to oldtitle went away, newtitle needs no lock
> * state update.
> */
> if (!oldtitle)
> return;
If js_DropObjectMap returns NULL, then oldtitle here is not null but some small offset from null.
This was causing crashes for me in js shell yesterday. I rebuilt and the symptom vanished (could be anything), but this still looks like a bug to me.
|
||
Comment 1•18 years ago
|
||
Yeah, should JS_TRANSFER_SCOPE_LOCK use scope ? &scope->title : NULL instead?
|
||
Comment 2•18 years ago
|
||
Stop, wait -- how can scope be null? If js_DropObjectMap returns null, we somehow lost the prototype's reference to the shared scope. How did that happen?
/be
|
|
||
Comment 3•17 years ago
|
||
Is this still happening?
/be
|
Reporter | |
Comment 4•17 years ago
|
||
I suspect comment 2 was right, it should never have happened. I hit it while debugging some other crash. It was probably just a bogus build. Marking INVALID.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•