Closed
Bug 500580
Opened 15 years ago
Closed 15 years ago
JS_CallFunction path isn't ~JIT guarded against non-global scope chains
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: graydon, Assigned: graydon)
References
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.54 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
Bug 497060 comment 32 notes that paths into the JIT from event handlers can have long scope chains that are not the global object as well; this needs a fix similar to the fix in that bug.
|
Assignee | |
Comment 1•15 years ago
|
||
Attachment #385295 -
Flags: review?
|
||
Comment 2•15 years ago
|
||
Comment on attachment 385295 [details] [diff] [review] Proposed fix, straight copy of the other >diff --git a/js/src/jsinterp.cpp b/js/src/jsinterp.cpp >--- a/js/src/jsinterp.cpp >+++ b/js/src/jsinterp.cpp >@@ -1429,16 +1429,30 @@ JSBool > js_InternalInvoke(JSContext *cx, JSObject *obj, jsval fval, uintN flags, > uintN argc, jsval *argv, jsval *rval) > { > jsval *invokevp; > void *mark; > JSBool ok; > > js_LeaveTrace(cx); >+ >+#ifdef JS_TRACER >+ /* >+ * The JIT requires that the scope chain here is equal to >+ * its global object. Disable the JIT for this call if this >+ * condition is not true. >+ */ >+ uint32 oldOptions = cx->options; >+ if ((oldOptions & JSOPTION_JIT) && obj != JS_GetGlobalForObject(cx, obj)) { ..12345678901234567890123456789012345678901234567890123456789012345678901234567890 Looks good, one nit: even ye olde 80 column limit allows this to fit on one line and the consequent to be unbraced. The comment could be wrapped more generously too. /be
Attachment #385295 -
Flags: review? → review+
|
|
||
Updated•15 years ago
|
Flags: wanted1.9.1.x?
|
|
Assignee | |
Comment 3•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/d783ad5c9975 (With style nit corrected, and applied retroactively to former bug's patch too).
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/d783ad5c9975
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 5•15 years ago
|
||
This change causes us to never trace anything running off an event handler, obviously. See bug 503694. That's really not acceptable for the browser end of things...
|
|
||
Comment 6•15 years ago
|
||
(In reply to comment #5) > This change causes us to never trace anything running off an event handler, > obviously. See bug 503694. That's really not acceptable for the browser end > of things... It's also unnecessary for the typical case of the event handler function calling a function defined in a <script> tag. See 503694 comment 13 :-(. /be
You need to log in
before you can comment on or make changes to this bug.
Description
•