Persona is no longer an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 475971 - js_CheckRedeclaration does not always unlock object on failures
: js_CheckRedeclaration does not always unlock object on failures
[sg:critical?] fixed-in-tracemonkey -...
: crash, testcase, verified1.9.0.9, verified1.9.1
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Igor Bukanov
: Jason Orendorff [:jorendorff]
Depends on: 476049
  Show dependency treegraph
Reported: 2009-01-29 09:31 PST by Igor Bukanov
Modified: 2009-10-14 16:40 PDT (History)
14 users (show)
bob: in‑testsuite+
bob: in‑litmus-
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

js1_8/extensions/regress-475971.js (2.88 KB, text/plain)
2009-02-18 11:44 PST, Bob Clary [:bc:]
no flags Details

Description Igor Bukanov 2009-01-29 09:31:15 PST
The contract for js_CheckRedeclaration is to always call OBJ_DROP_PROPERTY on failures. But this does not happen when the caller passes non-null objp/propp. For objects shared between threads this leads to unbalanced js_(Lock/Unlock)Object. The example below demonstrates this. Currently it hangs when run in a thread-safe shell.

Note this probably is not reproducible in the browser as even with thread workers no objects should be shared between threads.  

function x() { return 1; };

// g must run sufficiently long to ensure that the global scope is accessed                                                                                        
// from the parallel threads.                                                                                                                                      
function g()
    var sum = 0;
    try {
        for (var i = 0; i != 10000; ++i) {
            sum += x();
    } catch (e) { }

scatter([g, g]);

try {
    eval("const x = 1");
} catch (e) { }

scatter([g, g]);

Comment 1 Igor Bukanov 2009-02-03 06:14:26 PST
The fix for the bug 476049 has landed in TM and it also fixes this issue.
Comment 2 Igor Bukanov 2009-02-03 06:39:23 PST
Nominating for 1.9.0
Comment 3 Igor Bukanov 2009-02-09 07:38:17 PST
The fix for the bug 476049 has landed in mozilla-central and it also fixes this issue.
Comment 4 Bob Clary [:bc:] 2009-02-18 11:44:48 PST
Created attachment 362941 [details]
Comment 5 Igor Bukanov 2009-03-28 02:22:47 PDT
fixed for 1.9.0 as the fix for bug 476049 is landed on this branch
Comment 6 Igor Bukanov 2009-04-01 17:03:56 PDT
Regarding sg:critical - this bug itself is not critical. The reason that the patch for bug 476049 included the fix was that it was easy to make the patch there that would fix this bug rather than not.
Comment 7 Al Billings [:abillings] 2009-04-03 12:27:46 PDT
Verified for as bug 476049 has been verified for 

Bob, I don't suppose that this test could be added to the 1.9.0 test runs?
Comment 8 Bob Clary [:bc:] 2009-04-03 12:58:30 PDT
Al, it has been although it is not checked in since it is sensitive. No need to verify js bugs that have in-testsuite+ marked since I'll do them.
Comment 9 Al Billings [:abillings] 2009-04-03 13:00:07 PDT
All right. I'm just trying to make sure bugs are verified by today since we make builds on Monday and I'd hate to find out that we didn't fix something AFTER we have official builds.
Comment 10 Bob Clary [:bc:] 2009-04-03 15:13:38 PDT
Comment 11 Marc Bejarano 2009-04-23 15:12:02 PDT
bob: test checked in?
Comment 12 Bob Clary [:bc:] 2009-04-23 17:23:19 PDT
no, not yet.
Comment 13 Marc Bejarano 2009-04-24 13:26:40 PDT
shouldn't this be "in-testsuite -" then?
Comment 14 Bob Clary [:bc:] 2009-04-24 13:32:27 PDT
No. It has a test attached to the bug and that will be checked in shortly.
Comment 15 Marc Bejarano 2009-05-13 11:51:40 PDT
hi bob.  did it get checked in?
Comment 16 Bob Clary [:bc:] 2009-06-01 16:49:19 PDT
Comment 17 Bob Clary [:bc:] 2009-08-07 16:48:15 PDT
/cvsroot/mozilla/js/tests/js1_8/extensions/regress-475971.js,v  <--  regress-475971.js
initial revision: 1.1
Comment 18 Bob Clary [:bc:] 2009-10-14 16:40:45 PDT
v no crashes with 1.9.1, 1.9.2, 1.9.3

Note You need to log in before you can comment on or make changes to this bug.