Closed
Bug 490092
Opened 15 years ago
Closed 15 years ago
js_NewInstance locks ctor on trace
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: jorendorff, Assigned: gal)
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
1.31 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
This is not a big deal for embeddings (like Gecko) that never share objects.
This might be INVALID altogether, but it seems dangerous to me.
JS_LOCK_OBJ(cx, ctor);
JSScope *scope = OBJ_SCOPE(ctor);
if (scope->object != ctor) {
scope = js_GetMutableScope(cx, ctor);
if (!scope)
return NULL;
}
If ctor is shared, JS_LOCK_OBJ could try to deep-bail. This is not a _FAIL builtin, so cx->bailExit will not be set.
I think we could just check ownercx, and if it is not set, return NULL.
Comment 1•15 years ago
|
||
Sure, ownercx or bust. I'll review that for a dollar! ;-)
/be
Assignee | ||
Comment 3•15 years ago
|
||
Isn't there a bug in that code anyway? we can return out with NULL and leave the object locked. This will fix that too.
Assignee | ||
Comment 4•15 years ago
|
||
Attachment #374567 -
Flags: review?(brendan)
Updated•15 years ago
|
Attachment #374567 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 5•15 years ago
|
||
Fixed in TM.
http://hg.mozilla.org/tracemonkey/rev/a7f09e968cd1
Will not be tripped in FF, but can bite others embeddings badly. Wanted.
Flags: wanted1.9.1?
Priority: -- → P2
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.1
Comment 6•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.9.1? → wanted1.9.1+
Resolution: --- → FIXED
Comment 7•15 years ago
|
||
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•