Closed Bug 418041 Opened 16 years ago Closed 16 years ago

js_TransferTitle can be called with not-quite-null "oldtitle" argument

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: jorendorff, Unassigned)

Details

jsscope.c, lines 77-78, in function js_GetMutableScope:
>     scope = (JSScope *) js_DropObjectMap(cx, &scope->map, obj);
>     JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope);

jslock.h, lines 188-189:
> #define JS_TRANSFER_SCOPE_LOCK(cx, scope, newscope)            \
>     js_TransferTitle(cx, &scope->title, &newscope->title)

jslock.c, lines 1155 ff., in function js_TransferTitle:
> /*
>  * If the last reference to oldtitle went away, newtitle needs no lock
>  * state update.
>  */
> if (!oldtitle)
>     return;

If js_DropObjectMap returns NULL, then oldtitle here is not null but some small offset from null.

This was causing crashes for me in js shell yesterday.  I rebuilt and the symptom vanished (could be anything), but this still looks like a bug to me.
Yeah, should JS_TRANSFER_SCOPE_LOCK use scope ? &scope->title : NULL instead?
Stop, wait -- how can scope be null? If js_DropObjectMap returns null, we somehow lost the prototype's reference to the shared scope. How did that happen?

/be
Is this still happening?

/be
I suspect comment 2 was right, it should never have happened.  I hit it while debugging some other crash.  It was probably just a bogus build.  Marking INVALID.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.