Closed Bug 947323 Opened 11 years ago Closed 10 years ago

Fix two false positive rooting analysis hazards in ScriptSource::create

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: terrence, Assigned: terrence)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

Function 'js::ScriptSourceObject* js::ScriptSourceObject::create(js::ExclusiveContext*, js::ScriptSource*, JS::ReadOnlyCompileOptions*)' has unrooted '__temp_11' of type 'js::ScriptSourceObject*' live across GC call JS::ReadOnlyCompileOptions.element at js/src/jsscript.cpp:1009
    js/src/jsscript.cpp:1009: Call(21,22, __temp_13 := options*.element*())
    js/src/jsscript.cpp:1009: Call(22,23, __temp_12 := ObjectOrNullValue(__temp_13*))
    js/src/jsscript.cpp:1009: Call(23,24, __temp_11*.field:0.field:0.initSlot(1,__temp_12))

Function 'js::ScriptSourceObject* js::ScriptSourceObject::create(js::ExclusiveContext*, js::ScriptSource*, JS::ReadOnlyCompileOptions*)' has unrooted '__temp_15' of type 'js::ScriptSourceObject*' live across GC call JS::ReadOnlyCompileOptions.elementProperty at js/src/jsscript.cpp:1011
    js/src/jsscript.cpp:1011: Call(27,28, __temp_17 := options*.elementProperty*())
    js/src/jsscript.cpp:1011: Call(28,29, __temp_16 := StringValue(__temp_17*))
    js/src/jsscript.cpp:1011: Call(29,33, __temp_15*.field:0.field:0.initSlot(2,__temp_16))


Line: sourceObject->initSlot(ELEMENT_SLOT, ObjectOrNullValue(options.element()));

The problem here is that operator-> unpacking the ScriptSourceObject* to the stack before the call to options.element(). I'm glad that gcc can actually detect this class of problem. In this case at least, options.element() can't really GC, but it is a direct call to a virtual method.

This should get fixed by the work Steve is doing to fix this case in general. Another option is the patch attached here. I'm filing this bug mostly so that I don't have to re-do the investigation again.
And this was indeed fixed by Steve's virtual fixes.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Assignee: general → terrence
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: