Closed
Bug 680755
Opened 13 years ago
Closed 13 years ago
Missing goto out in CompileUCFunctionForPrincipalsCommon
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla9
People
(Reporter: igor, Assigned: igor)
References
Details
Attachments
(1 file, 1 obsolete file)
19.93 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Since the bug 679879 CompileUCFunctionForPrincipalsCommon from jsapi.cpp contains http://hg.mozilla.org/mozilla-central/annotate/6dc468c41136/js/src/jsapi.cpp#l4724 :
EmptyShape *emptyCallShape = EmptyShape::getEmptyCallShape(cx);
if (!emptyCallShape)
fun = NULL;
AutoShapeRooter shapeRoot(cx, emptyCallShape);
AutoObjectRooter tvr(cx, fun);
That is, there is a missing goto out here. This bug leads to a NULL pointer deref in case EmptyShape::getEmptyCallShape fails to allocate the shape.
Assignee | ||
Comment 1•13 years ago
|
||
The patch adds an auto class to do the last-frame-checks and uses it in CompileUCFunctionForPrincipalsCommon to replace replace LAST_FRAME_CHECKS macro. This way on errors the code can immediately return null.
If the proposed usage looks OK, I will replace all LAST_FRAME_CHECKS with the new class.
Attachment #554714 -
Flags: feedback?(jorendorff)
Comment 2•13 years ago
|
||
Comment on attachment 554714 [details] [diff] [review]
v 0.1
This is a fine idea. I'll be happy to review, but the patch has a bug: LAST_FRAME_CHECKS only reports an exception if no JS code is running on cx (hence the words "last frame" in the name). This is by design. It means that JSNatives and other callbacks can call public JSAPI functions like so:
if (!JS_CallFunctionName(cx, obj, "foo", 0, NULL, &v))
return false;
and any exceptions thrown from obj.foo() will be propagated to the caller, not squelched or converted to uncatchable errors. (If we don't have a test for this, consider writing a jsapi-test.)
I think the success() method is unnecessary. It's harmless to check for an exception on success.
Attachment #554714 -
Flags: feedback?(jorendorff)
Assignee | ||
Comment 3•13 years ago
|
||
(In reply to Jason Orendorff [:jorendorff] from comment #2)
> This is a fine idea. I'll be happy to review, but the patch has a bug:
> LAST_FRAME_CHECKS only reports an exception if no JS code is running on cx
> (hence the words "last frame" in the name).
Thanks for catching this, the destructor were supposed to look like:
if (cx && JS_IsRunning(cx) && !cx->hasRunOption(JSOPTION_DONT_REPORT_UNCAUGHT))
js_ReportUncaughtException(cx);
> I think the success() method is unnecessary. It's harmless to check for an
> exception on success.
Do you suggest to check for cx->throwing instead? That would indeed remove the need for the success method.
Assignee | ||
Comment 4•13 years ago
|
||
(In reply to Igor Bukanov from comment #3)
> (In reply to Jason Orendorff [:jorendorff] from comment #2)
> > I think the success() method is unnecessary. It's harmless to check for an
> > exception on success.
>
> Do you suggest to check for cx->throwing instead? That would indeed remove
> the need for the success method.
The drawback of checking for cx->throwing is an extra branch per API call. With the explicit success() the compiler can optimize away the exception check at places where the code checks for errors in any case. But I presume that would not affect the benchmarks...
Comment 5•13 years ago
|
||
(In reply to Igor Bukanov from comment #3)
> Do you suggest to check for cx->throwing instead? That would indeed remove
> the need for the success method.
Yes.
(In reply to Igor Bukanov from comment #4)
> The drawback of checking for cx->throwing is an extra branch per API call.
> With the explicit success() the compiler can optimize away the exception
> check at places where the code checks for errors in any case.
I actually find this fairly convincing. Keep it if you prefer.
Assignee | ||
Comment 6•13 years ago
|
||
The new version removes the success method and checks for cx->throwing instead. In most places where the last frame checks are used we do not check for the error explicitly and just return the result of the internal api call directly. So the issues from the comment 4 is not common to justify extra code complexity.
The patch also removes unnecessary anchoring and rooting around js_NewFunction in couple of places via rearranging the sequence of calls so compileFunctionBody immediately follows js_NewFunction.
Attachment #554714 -
Attachment is obsolete: true
Attachment #555548 -
Flags: review?(jorendorff)
Comment 7•13 years ago
|
||
Comment on attachment 555548 [details] [diff] [review]
v1
Nice cleanup.
Attachment #555548 -
Flags: review?(jorendorff) → review+
Assignee | ||
Comment 8•13 years ago
|
||
Comment 9•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
You need to log in
before you can comment on or make changes to this bug.
Description
•