Closed
Bug 940629
Opened 11 years ago
Closed 11 years ago
Root StackShape across getChildPropertyOnDictionary calls
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: sfink, Assigned: sfink)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
(deleted),
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
There are 2 places where an unrooted StackShape is live across a call to getChildPropertyOnDictionary. The analysis does not report these as hazards because the StackShape is passed in by reference. Presumably these are reported instead as taking an address of an unrooted variable; I haven't looked.
Assignee | ||
Comment 1•11 years ago
|
||
r? bhackett because StackShape is rooted-on-demand, and these look like pretty hot uses. I don't know whether this'll show up on awfy ggc.
Attachment #8334770 -
Flags: review?(bhackett1024)
Comment 2•11 years ago
|
||
Comment on attachment 8334770 [details] [diff] [review]
Root StackShape across getChildPropertyOnDictionary calls
Review of attachment 8334770 [details] [diff] [review]:
-----------------------------------------------------------------
(In reply to Steve Fink [:sfink] from comment #0)
> Presumably these are
> reported instead as taking an address of an unrooted variable; I haven't
> looked.
Can you look, please?
Attachment #8334770 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 3•11 years ago
|
||
Yes, they're there. Example:
Function 'js::Shape* JSObject::putProperty(js::ForkJoinSlice*, class JS::Handle<JSObject*>, class JS::Handle<jsid>, (uint8)(JSContext*,class JS::Handle<JSObject*>,class JS::Handle<jsid>,class JS::MutableHandle<JS::Value>)*, (uint8)(JSContext*,class JS::Handle<JSObject*>,class JS::Handle<jsid>,uint8,class JS::MutableHandle<JS::Value>)*, uint32, uint32, uint32, int32) [with js::ExecutionMode mode = (js::ExecutionMode)1u; typename js::ExecutionModeTraits<mode>::ExclusiveContextType = js::ForkJoinSlice*; JS::HandleObject = JS::Handle<JSObject*>; JS::HandleId = JS::Handle<jsid>; js::PropertyOp = bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>); js::StrictPropertyOp = bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>); uint32_t = unsigned int]' takes unsafe address of unrooted 'child' at js/src/vm/Shape.cpp:919
Assignee | ||
Comment 4•11 years ago
|
||
Comment 5•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•