Closed Bug 520890 Opened 15 years ago Closed 15 years ago

obj_getOwnPropertyDescriptor nests object locks

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1

People

(Reporter: jorendorff, Assigned: Waldo)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Patch
5.02 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review 
While a property is held we call js_NewObject (not supposed to do that; it could GC) and then obj->getProperty (nesting the lock).

    JSObject *pobj;
    JSProperty *prop;
    if (!obj->lookupProperty(cx, nameidr.id(), &pobj, &prop))
        return JS_FALSE;
    MUST_FLOW_THROUGH("drop_property");

    if (!pobj->getAttributes(cx, nameidr.id(), prop, &attrs))
        goto drop_property;

    /* We have our own property, so start creating the descriptor. */
    desc = js_NewObject(cx, &js_ObjectClass, NULL, NULL);
    if (!desc)
        goto drop_property;
    *vp = OBJECT_TO_JSVAL(desc); /* Root and return. */

    if (!(attrs & (JSPROP_GETTER | JSPROP_SETTER))) {
        JSAutoTempValueRooter tvr(cx);
        if (!obj->getProperty(cx, nameidr.id(), tvr.addr()) ||
            ...

We probably shouldn't be calling a hook (like JSObjectOps::getProperty) here regardless. See bug 520882.

Here obj is either a native object, a dense array, or an XML object. I think we should special-case native objects and arrays to access the slot directly without calling a hook. For XML objects, we can throw or synthesize getter and setter functions.
I'm working on a patch, and I think I have it finished actually.  However, because this error triggers no assertions in an ST shell, I'm working on adding assertions to detect this error to some extent -- and those assertions are a bit tricky given how we rely on native-property-hold/drop being equivalent to locking/unlocking the object/scope.  It's getting there -- completed patch with assertion coverage quite soon, I hope.
Attached patch PatchSplinter Review 
Getting the assertions done will be a long and tedious process (I've already fixed a whole lot of them in a work-in-progress patch), and this wants to be fixed rather sooner than after I finish that work.

Locking issues aside, this formulation seems better than the original anyway.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #411324 - Flags: review?(jorendorff)
Comment on attachment 411324 [details] [diff] [review]
Patch

Looks great.
Attachment #411324 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/b0fb1a71bd17
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.3a1
http://hg.mozilla.org/mozilla-central/rev/b0fb1a71bd17
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: