Closed
Bug 925547
Opened 10 years ago
Closed 10 years ago
Suppress GC in debug-only call
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: sfink, Assigned: sfink)
References
Details
Attachments
(1 file)
|
1.04 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
Hazard:
Function 'uint8 js::ExecuteKernel(JSContext*, const class JS::Handle<JSScript*>, JSObject*, JS::Value*, uint32, js::AbstractFramePtr, JS::Value*)' has unrooted 'scopeChainArg' of type 'JSObject*' live across GC call 'JSObject* GetOuterObject(JSContext*, class JS::Handle<JSObject*>)' at js/src/vm/Interpreter.cpp:596
Code:
bool
js::ExecuteKernel(JSContext *cx, HandleScript script, JSObject &scopeChainArg, ...)
{
...
#ifdef DEBUG
if (thisv.isObject()) {
RootedObject thisObj(cx, &thisv.toObject());
JS_ASSERT(GetOuterObject(cx, thisObj) == thisObj);
}
#endif
|
Assignee | |
Comment 1•10 years ago
|
||
I stuck in an AutoSuppressGC in the debug-only section.
Attachment #815615 -
Flags: review?(terrence)
|
||
Comment 2•10 years ago
|
||
Comment on attachment 815615 [details] [diff] [review] Suppress GC in debug-only call Review of attachment 815615 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #815615 -
Flags: review?(terrence) → review+
|
|
Assignee | |
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/09b4e50f4b2f
|
||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/09b4e50f4b2f
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in
before you can comment on or make changes to this bug.
Description
•