Closed Bug 490092 Opened 15 years ago Closed 15 years ago

js_NewInstance locks ctor on trace

Categories

(Core :: JavaScript Engine, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla1.9.1

People

(Reporter: jorendorff, Assigned: gal)

Details

(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

This is not a big deal for embeddings (like Gecko) that never share objects. This might be INVALID altogether, but it seems dangerous to me. JS_LOCK_OBJ(cx, ctor); JSScope *scope = OBJ_SCOPE(ctor); if (scope->object != ctor) { scope = js_GetMutableScope(cx, ctor); if (!scope) return NULL; } If ctor is shared, JS_LOCK_OBJ could try to deep-bail. This is not a _FAIL builtin, so cx->bailExit will not be set. I think we could just check ownercx, and if it is not set, return NULL.
Sure, ownercx or bust. I'll review that for a dollar! ;-) /be
Taking you up on that offer.
Assignee: general → gal
Isn't there a bug in that code anyway? we can return out with NULL and leave the object locked. This will fix that too.
Attached patch patchSplinter Review
Attachment #374567 - Flags: review?(brendan)
Attachment #374567 - Flags: review?(brendan) → review+
Fixed in TM. http://hg.mozilla.org/tracemonkey/rev/a7f09e968cd1 Will not be tripped in FF, but can bite others embeddings badly. Wanted.
Flags: wanted1.9.1?
Priority: -- → P2
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.1
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.9.1? → wanted1.9.1+
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: