Closed
Bug 899759
Opened 10 years ago
Closed 10 years ago
JS_NondeterministicGetWeakMapKeys can GC while iterating over a weakmap
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox23 | --- | wontfix |
| firefox24 | --- | wontfix |
| firefox25 | --- | fixed |
| b2g18 | --- | unaffected |
| b2g18-v1.0.0 | --- | unaffected |
| b2g18-v1.0.1 | --- | unaffected |
| b2g-v1.1hd | --- | unaffected |
People
(Reporter: billm, Assigned: billm)
References
Details
(Whiteboard: [qa-])
Attachments
(2 files)
|
883 bytes,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
|
1.17 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
Here's the relevant code:
for (ObjectValueMap::Base::Range r = map->all(); !r.empty(); r.popFront()) {
RootedObject key(cx, r.front().key);
if (!JS_WrapObject(cx, key.address()))
return false;
if (!js_NewbornArrayPush(cx, arr, ObjectValue(*key)))
return false;
}
The problem is that if JS_WrapObject does a GC, then the GC could modify the weakmap, which would mess up the iteration.
|
Assignee | |
Comment 1•10 years ago
|
||
This is the simplest possible solution. JS_WrapObject should never do much allocation, so we shouldn't need GC here.
Attachment #783345 -
Flags: review?(sphink)
|
||
Comment 2•10 years ago
|
||
It is probably okay to unhide this, as nondeterministicGetWeakMapKeys isn't used anywhere in Gecko or Gaia outside of tests, as far as I can see.
|
||
Comment 3•10 years ago
|
||
Yet. :)
|
|
||
Comment 4•10 years ago
|
||
Sure, but we won't be exposing anybody to danger as long as we land this at the same time as the other bug, and making it public will make the code landing waltz easier.
|
|
||
Comment 5•10 years ago
|
||
Absolutely. Sorry, I didn't mean to disagree.
|
||
Comment 6•10 years ago
|
||
Comment on attachment 783345 [details] [diff] [review] weakmap Review of attachment 783345 [details] [diff] [review]: ----------------------------------------------------------------- Is it worth a comment? // Prevent GC from mutating the weakmap while iterating.
Attachment #783345 -
Flags: review?(sphink) → review+
|
|
Assignee | |
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/eb36948223cc
|
|
Assignee | |
Comment 9•10 years ago
|
||
I guess even the simplest patch can burn the tree. https://hg.mozilla.org/integration/mozilla-inbound/rev/3ce7cb22607a
https://hg.mozilla.org/mozilla-central/rev/eb36948223cc https://hg.mozilla.org/mozilla-central/rev/3ce7cb22607a
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
|
||
Comment 12•10 years ago
|
||
Doesn't look like b2g18 has AutoSuppressGC. Needs a branch-specific patch for uplift.
status-b2g18:
--- → affected
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → wontfix
status-b2g-v1.1hd:
--- → affected
status-firefox23:
--- → wontfix
status-firefox24:
--- → wontfix
status-firefox25:
--- → fixed
Flags: needinfo?(wmccloskey)
Keywords: branch-patch-needed
|
|
Assignee | |
Comment 13•10 years ago
|
||
OK, let's do it the hard way.
Attachment #784480 -
Flags: review?(sphink)
Flags: needinfo?(wmccloskey)
|
|
||
Updated•10 years ago
|
Attachment #784480 -
Flags: review?(sphink) → review+
|
|
||
Comment 14•10 years ago
|
||
No idea what branch this patch was made against, but it sure doesn't appear to have been b2g18.
Flags: needinfo?(wmccloskey)
|
|
Assignee | |
Comment 15•10 years ago
|
||
Well, I feel stupid. b2g18 never had this problem at all.
Flags: needinfo?(wmccloskey)
|
||
Updated•10 years ago
|
Keywords: branch-patch-needed
|
||
Comment 16•10 years ago
|
||
Assuming no verification needed here. Please add the verifyme keyword and remove the [qa-] whiteboard tag to request verification.
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•