Closed Bug 680755 Opened 13 years ago Closed 13 years ago

Missing goto out in CompileUCFunctionForPrincipalsCommon

Categories

(Core :: JavaScript Engine, defect)

Other Branch
x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla9

People

(Reporter: igor, Assigned: igor)

References

Details

Attachments

(1 file, 1 obsolete file)

Since the bug 679879 CompileUCFunctionForPrincipalsCommon from jsapi.cpp contains http://hg.mozilla.org/mozilla-central/annotate/6dc468c41136/js/src/jsapi.cpp#l4724 : EmptyShape *emptyCallShape = EmptyShape::getEmptyCallShape(cx); if (!emptyCallShape) fun = NULL; AutoShapeRooter shapeRoot(cx, emptyCallShape); AutoObjectRooter tvr(cx, fun); That is, there is a missing goto out here. This bug leads to a NULL pointer deref in case EmptyShape::getEmptyCallShape fails to allocate the shape.
Attached patch v 0.1 (obsolete) — Splinter Review
The patch adds an auto class to do the last-frame-checks and uses it in CompileUCFunctionForPrincipalsCommon to replace replace LAST_FRAME_CHECKS macro. This way on errors the code can immediately return null. If the proposed usage looks OK, I will replace all LAST_FRAME_CHECKS with the new class.
Attachment #554714 - Flags: feedback?(jorendorff)
Comment on attachment 554714 [details] [diff] [review] v 0.1 This is a fine idea. I'll be happy to review, but the patch has a bug: LAST_FRAME_CHECKS only reports an exception if no JS code is running on cx (hence the words "last frame" in the name). This is by design. It means that JSNatives and other callbacks can call public JSAPI functions like so: if (!JS_CallFunctionName(cx, obj, "foo", 0, NULL, &v)) return false; and any exceptions thrown from obj.foo() will be propagated to the caller, not squelched or converted to uncatchable errors. (If we don't have a test for this, consider writing a jsapi-test.) I think the success() method is unnecessary. It's harmless to check for an exception on success.
Attachment #554714 - Flags: feedback?(jorendorff)
(In reply to Jason Orendorff [:jorendorff] from comment #2) > This is a fine idea. I'll be happy to review, but the patch has a bug: > LAST_FRAME_CHECKS only reports an exception if no JS code is running on cx > (hence the words "last frame" in the name). Thanks for catching this, the destructor were supposed to look like: if (cx && JS_IsRunning(cx) && !cx->hasRunOption(JSOPTION_DONT_REPORT_UNCAUGHT)) js_ReportUncaughtException(cx); > I think the success() method is unnecessary. It's harmless to check for an > exception on success. Do you suggest to check for cx->throwing instead? That would indeed remove the need for the success method.
(In reply to Igor Bukanov from comment #3) > (In reply to Jason Orendorff [:jorendorff] from comment #2) > > I think the success() method is unnecessary. It's harmless to check for an > > exception on success. > > Do you suggest to check for cx->throwing instead? That would indeed remove > the need for the success method. The drawback of checking for cx->throwing is an extra branch per API call. With the explicit success() the compiler can optimize away the exception check at places where the code checks for errors in any case. But I presume that would not affect the benchmarks...
(In reply to Igor Bukanov from comment #3) > Do you suggest to check for cx->throwing instead? That would indeed remove > the need for the success method. Yes. (In reply to Igor Bukanov from comment #4) > The drawback of checking for cx->throwing is an extra branch per API call. > With the explicit success() the compiler can optimize away the exception > check at places where the code checks for errors in any case. I actually find this fairly convincing. Keep it if you prefer.
Attached patch v1Splinter Review
The new version removes the success method and checks for cx->throwing instead. In most places where the last frame checks are used we do not check for the error explicitly and just return the result of the internal api call directly. So the issues from the comment 4 is not common to justify extra code complexity. The patch also removes unnecessary anchoring and rooting around js_NewFunction in couple of places via rearranging the sequence of calls so compileFunctionBody immediately follows js_NewFunction.
Attachment #554714 - Attachment is obsolete: true
Attachment #555548 - Flags: review?(jorendorff)
Comment on attachment 555548 [details] [diff] [review] v1 Nice cleanup.
Attachment #555548 - Flags: review?(jorendorff) → review+
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: