Closed Bug 572625 Opened 14 years ago Closed 14 years ago

create call object only after new frame is pushed

Categories

(Core :: JavaScript Engine, defect)

x86
All
defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: luke, Assigned: luke)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Attached patch do it afterSplinter Review
Using his keen powers of observation, dvander noticed that (post contiguous stack patch) js_GetCallObject is called in JSOP_CALL for a new frame before StackSpace::pushInlineFrame officially pushes the frame.  Looking inside js_GetCallObject, there is indeed an assumption that the given frame is rooted, so this is a GC hazard (albeit unlikely; GC would have to occur during a specific js_DefineProperty).
Attachment #451858 - Flags: review?(dvander)
Comment on attachment 451858 [details] [diff] [review]
do it after

looks like some enumerator changes got roped in, r=me w/ that out
Attachment #451858 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/562ea92fd89a
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/562ea92fd89a
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: