Closed Bug 940629 Opened 11 years ago Closed 11 years ago

Root StackShape across getChildPropertyOnDictionary calls

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28

People

(Reporter: sfink, Assigned: sfink)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

Root StackShape across getChildPropertyOnDictionary calls
1.78 KB, patch
bhackett1024
: review+
Details | Diff | Splinter Review 
There are 2 places where an unrooted StackShape is live across a call to getChildPropertyOnDictionary. The analysis does not report these as hazards because the StackShape is passed in by reference. Presumably these are reported instead as taking an address of an unrooted variable; I haven't looked.
r? bhackett because StackShape is rooted-on-demand, and these look like pretty hot uses. I don't know whether this'll show up on awfy ggc.
Attachment #8334770 - Flags: review?(bhackett1024)
Comment on attachment 8334770 [details] [diff] [review]
Root StackShape across getChildPropertyOnDictionary calls

Review of attachment 8334770 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Steve Fink [:sfink] from comment #0)
> Presumably these are
> reported instead as taking an address of an unrooted variable; I haven't
> looked.

Can you look, please?
Attachment #8334770 - Flags: review?(bhackett1024) → review+
Yes, they're there. Example:

Function 'js::Shape* JSObject::putProperty(js::ForkJoinSlice*, class JS::Handle<JSObject*>, class JS::Handle<jsid>, (uint8)(JSContext*,class JS::Handle<JSObject*>,class JS::Handle<jsid>,class JS::MutableHandle<JS::Value>)*, (uint8)(JSContext*,class JS::Handle<JSObject*>,class JS::Handle<jsid>,uint8,class JS::MutableHandle<JS::Value>)*, uint32, uint32, uint32, int32) [with js::ExecutionMode mode = (js::ExecutionMode)1u; typename js::ExecutionModeTraits<mode>::ExclusiveContextType = js::ForkJoinSlice*; JS::HandleObject = JS::Handle<JSObject*>; JS::HandleId = JS::Handle<jsid>; js::PropertyOp = bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>); js::StrictPropertyOp = bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>); uint32_t = unsigned int]' takes unsafe address of unrooted 'child' at js/src/vm/Shape.cpp:919
Blocks: 898606
https://hg.mozilla.org/mozilla-central/rev/e9294ddf600c
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: