Closed
Bug 490092
Opened 15 years ago
Closed 15 years ago
js_NewInstance locks ctor on trace
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: jorendorff, Assigned: gal)
Details
(Keywords: fixed1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.31 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
This is not a big deal for embeddings (like Gecko) that never share objects.
This might be INVALID altogether, but it seems dangerous to me.
JS_LOCK_OBJ(cx, ctor);
JSScope *scope = OBJ_SCOPE(ctor);
if (scope->object != ctor) {
scope = js_GetMutableScope(cx, ctor);
if (!scope)
return NULL;
}
If ctor is shared, JS_LOCK_OBJ could try to deep-bail. This is not a _FAIL builtin, so cx->bailExit will not be set.
I think we could just check ownercx, and if it is not set, return NULL.
|
||
Comment 1•15 years ago
|
||
Sure, ownercx or bust. I'll review that for a dollar! ;-) /be
|
Assignee | |
Comment 3•15 years ago
|
||
Isn't there a bug in that code anyway? we can return out with NULL and leave the object locked. This will fix that too.
|
|
Assignee | |
Comment 4•15 years ago
|
||
Attachment #374567 -
Flags: review?(brendan)
|
|
||
Updated•15 years ago
|
Attachment #374567 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
Fixed in TM. http://hg.mozilla.org/tracemonkey/rev/a7f09e968cd1 Will not be tripped in FF, but can bite others embeddings badly. Wanted.
Flags: wanted1.9.1?
Priority: -- → P2
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.1
|
||
Comment 6•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a7f09e968cd1
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted1.9.1? → wanted1.9.1+
Resolution: --- → FIXED
|
|
||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/c0c6eceab6f9
Keywords: fixed1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•