Rooting hazards in debugger functions EnsureFunctionHasScript() and GetOrCreateFunctionScript()

RESOLVED DUPLICATE of bug 945360

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 945360
4 years ago
4 years ago

People

(Reporter: jonco, Assigned: jonco)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Function 'Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*)' has unrooted 'fun' of type 'JSFunction*' live across GC call 'void js::AutoCompartment::AutoCompartment(js::ExclusiveContext*, JSObject*)' at js/src/vm/Debugger.cpp:105
    js/src/vm/Debugger.cpp:106: Call(4,5, __temp_2 := fun*.getOrCreateScript(cx*))
GC Function: void js::AutoCompartment::AutoCompartment(js::ExclusiveContext*, JSObject*)
    void js::ExclusiveContext::enterCompartment(JSCompartment*)
    void JSContext::wrapPendingException()
    uint8 JSCompartment::wrap(JSContext*, class JS::MutableHandle<JS::Value>, class JS::Handle<JSObject*>)
    uint8 JSCompartment::wrap(JSContext*, JSString**)
    JSFlatString* js_NewStringCopyN(js::ExclusiveContext*, uint16*, uint64) [with js::AllowGC allowGC = (js::AllowGC)1u; jschar = char16_t; size_t = long unsigned int]
    String-inl.h:JSInlineString* js::NewShortString(js::ExclusiveContext*, JS::TwoByteChars) [with js::AllowGC allowGC = (js::AllowGC)1u]
    String-inl.h:JSInlineString* js::NewShortString(js::ExclusiveContext*, JS::StableTwoByteChars) [with js::AllowGC allowGC = (js::AllowGC)1u]
    JSShortString* JSShortString::new_(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u]
    JSShortString* js_NewGCShortString(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u]
    JSShortString* js::gc::NewGCThing(js::ThreadSafeContext*, uint32, uint64, uint32) [with T = JSShortString; js::AllowGC allowGC = (js::AllowGC)1u; size_t = long unsigned int]
    void js::gc::RunDebugGC(JSContext*)
    void js::MinorGC(JSRuntime*, uint32)
    GC


Function 'Debugger.cpp:JSScript* GetOrCreateFunctionScript(JSContext*, JSFunction*)' has unrooted 'fun' of type 'JSFunction*' live across GC call 'Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*)' at js/src/vm/Debugger.cpp:115
    js/src/vm/Debugger.cpp:115: Assume(8,10, !__temp_3*, false)
    js/src/vm/Debugger.cpp:117: Call(10,11, return := fun*.nonLazyScript())
GC Function: Debugger.cpp:uint8 EnsureFunctionHasScript(JSContext*, JSFunction*)
    JSScript* JSFunction::getOrCreateScript(JSContext*)
    uint8 JSFunction::createScriptForLazilyInterpretedFunction(JSContext*, class JS::Handle<JSFunction*>)
    uint8 JSRuntime::cloneSelfHostedFunctionScript(JSContext*, class JS::Handle<js::PropertyName*>, class JS::Handle<JSFunction*>)
    JSScript* js::CloneScript(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSFunction*>, const class JS::Handle<JSScript*>, uint32)
    JSObject* js::CloneObjectLiteral(JSContext*, class JS::Handle<JSObject*>, class JS::Handle<JSObject*>)
    JSObject* js::NewReshapedObject(JSContext*, class JS::Handle<js::types::TypeObject*>, JSObject*, uint32, class JS::Handle<js::Shape*>, uint32)
    Shape.cpp:js::UnownedBaseShape* GetOrLookupUnownedBaseShape(js::ExclusiveContext*, js::StackBaseShape*) [with js::ExecutionMode mode = (js::ExecutionMode)0u; typename js::ExecutionModeTraits<mode>::ExclusiveContextType = js::ExclusiveContext*]
    js::UnownedBaseShape* js::BaseShape::getUnowned(js::ExclusiveContext*, js::StackBaseShape*)
    js::BaseShape* js_NewGCBaseShape(js::ThreadSafeContext*) [with js::AllowGC allowGC = (js::AllowGC)1u]
    js::BaseShape* js::gc::NewGCThing(js::ThreadSafeContext*, uint32, uint64, uint32) [with T = js::BaseShape; js::AllowGC allowGC = (js::AllowGC)1u; size_t = long unsigned int]
    void js::gc::RunDebugGC(JSContext*)
    void js::MinorGC(JSRuntime*, uint32)
    GC
(Assignee)

Comment 1

4 years ago
Created attachment 8340311 [details] [diff] [review]
fix-debugger-hazards

Patch to root JSFunction pointer.
Attachment #8340311 - Flags: review?(sphink)
Comment on attachment 8340311 [details] [diff] [review]
fix-debugger-hazards

Review of attachment 8340311 [details] [diff] [review]:
-----------------------------------------------------------------

Sad that we can't just do asRooted<JSFunction> or something, but oh well.
Attachment #8340311 - Flags: review?(sphink) → review+
(Assignee)

Comment 3

4 years ago
Already fixed by Terrence in bug 945360.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 945360
You need to log in before you can comment on or make changes to this bug.