Closed Bug 520890 Opened 16 years ago Closed 16 years ago

obj_getOwnPropertyDescriptor nests object locks

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
Other Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.3a1

People

(Reporter: jorendorff, Assigned: Waldo)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Patch
5.02 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
While a property is held we call js_NewObject (not supposed to do that; it could GC) and then obj->getProperty (nesting the lock). JSObject *pobj; JSProperty *prop; if (!obj->lookupProperty(cx, nameidr.id(), &pobj, &prop)) return JS_FALSE; MUST_FLOW_THROUGH("drop_property"); if (!pobj->getAttributes(cx, nameidr.id(), prop, &attrs)) goto drop_property; /* We have our own property, so start creating the descriptor. */ desc = js_NewObject(cx, &js_ObjectClass, NULL, NULL); if (!desc) goto drop_property; *vp = OBJECT_TO_JSVAL(desc); /* Root and return. */ if (!(attrs & (JSPROP_GETTER | JSPROP_SETTER))) { JSAutoTempValueRooter tvr(cx); if (!obj->getProperty(cx, nameidr.id(), tvr.addr()) || ... We probably shouldn't be calling a hook (like JSObjectOps::getProperty) here regardless. See bug 520882. Here obj is either a native object, a dense array, or an XML object. I think we should special-case native objects and arrays to access the slot directly without calling a hook. For XML objects, we can throw or synthesize getter and setter functions.
I'm working on a patch, and I think I have it finished actually. However, because this error triggers no assertions in an ST shell, I'm working on adding assertions to detect this error to some extent -- and those assertions are a bit tricky given how we rely on native-property-hold/drop being equivalent to locking/unlocking the object/scope. It's getting there -- completed patch with assertion coverage quite soon, I hope.
Attached patch PatchSplinter Review
Getting the assertions done will be a long and tedious process (I've already fixed a whole lot of them in a work-in-progress patch), and this wants to be fixed rather sooner than after I finish that work. Locking issues aside, this formulation seems better than the original anyway.
Assignee: general → jwalden+bmo
Status: NEW → ASSIGNED
Attachment #411324 - Flags: review?(jorendorff)
Comment on attachment 411324 [details] [diff] [review] Patch Looks great.
Attachment #411324 - Flags: review?(jorendorff) → review+
http://hg.mozilla.org/tracemonkey/rev/b0fb1a71bd17
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla1.9.3a1
http://hg.mozilla.org/mozilla-central/rev/b0fb1a71bd17
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: