js_NewInstance locks ctor on trace

RESOLVED FIXED in mozilla1.9.1

Status

()

defect
P2
normal
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: jorendorff, Assigned: gal)

Tracking

({fixed1.9.1})

unspecified
mozilla1.9.1
Points:
---
Bug Flags:
wanted1.9.1 +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

This is not a big deal for embeddings (like Gecko) that never share objects.

This might be INVALID altogether, but it seems dangerous to me.

    JS_LOCK_OBJ(cx, ctor);
    JSScope *scope = OBJ_SCOPE(ctor);
    if (scope->object != ctor) {
        scope = js_GetMutableScope(cx, ctor);
        if (!scope)
            return NULL;
    }

If ctor is shared, JS_LOCK_OBJ could try to deep-bail.  This is not a _FAIL builtin, so cx->bailExit will not be set.

I think we could just check ownercx, and if it is not set, return NULL.
Sure, ownercx or bust. I'll review that for a dollar! ;-)

/be
Taking you up on that offer.
Assignee: general → gal
Isn't there a bug in that code anyway? we can return out with NULL and leave the object locked. This will fix that too.
Posted patch patchSplinter Review
Attachment #374567 - Flags: review?(brendan)
Attachment #374567 - Flags: review?(brendan) → review+
Fixed in TM.

http://hg.mozilla.org/tracemonkey/rev/a7f09e968cd1

Will not be tripped in FF, but can bite others embeddings badly. Wanted.
Flags: wanted1.9.1?
Priority: -- → P2
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.1
http://hg.mozilla.org/mozilla-central/rev/a7f09e968cd1
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: wanted1.9.1? → wanted1.9.1+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.