Closed
Bug 572625
Opened 14 years ago
Closed 14 years ago
create call object only after new frame is pushed
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: luke, Assigned: luke)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
3.15 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Using his keen powers of observation, dvander noticed that (post contiguous stack patch) js_GetCallObject is called in JSOP_CALL for a new frame before StackSpace::pushInlineFrame officially pushes the frame. Looking inside js_GetCallObject, there is indeed an assumption that the given frame is rooted, so this is a GC hazard (albeit unlikely; GC would have to occur during a specific js_DefineProperty).
Attachment #451858 -
Flags: review?(dvander)
Comment on attachment 451858 [details] [diff] [review] do it after looks like some enumerator changes got roped in, r=me w/ that out
Attachment #451858 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 2•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/562ea92fd89a
Whiteboard: fixed-in-tracemonkey
Comment 3•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/562ea92fd89a
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•