Closed
Bug 947323
Opened 11 years ago
Closed 11 years ago
Fix two false positive rooting analysis hazards in ScriptSource::create
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: terrence, Assigned: terrence)
References
Details
(Whiteboard: [qa-])
Attachments
(1 file)
(deleted),
patch
|
Details | Diff | Splinter Review |
Function 'js::ScriptSourceObject* js::ScriptSourceObject::create(js::ExclusiveContext*, js::ScriptSource*, JS::ReadOnlyCompileOptions*)' has unrooted '__temp_11' of type 'js::ScriptSourceObject*' live across GC call JS::ReadOnlyCompileOptions.element at js/src/jsscript.cpp:1009
js/src/jsscript.cpp:1009: Call(21,22, __temp_13 := options*.element*())
js/src/jsscript.cpp:1009: Call(22,23, __temp_12 := ObjectOrNullValue(__temp_13*))
js/src/jsscript.cpp:1009: Call(23,24, __temp_11*.field:0.field:0.initSlot(1,__temp_12))
Function 'js::ScriptSourceObject* js::ScriptSourceObject::create(js::ExclusiveContext*, js::ScriptSource*, JS::ReadOnlyCompileOptions*)' has unrooted '__temp_15' of type 'js::ScriptSourceObject*' live across GC call JS::ReadOnlyCompileOptions.elementProperty at js/src/jsscript.cpp:1011
js/src/jsscript.cpp:1011: Call(27,28, __temp_17 := options*.elementProperty*())
js/src/jsscript.cpp:1011: Call(28,29, __temp_16 := StringValue(__temp_17*))
js/src/jsscript.cpp:1011: Call(29,33, __temp_15*.field:0.field:0.initSlot(2,__temp_16))
Line: sourceObject->initSlot(ELEMENT_SLOT, ObjectOrNullValue(options.element()));
The problem here is that operator-> unpacking the ScriptSourceObject* to the stack before the call to options.element(). I'm glad that gcc can actually detect this class of problem. In this case at least, options.element() can't really GC, but it is a direct call to a virtual method.
This should get fixed by the work Steve is doing to fix this case in general. Another option is the patch attached here. I'm filing this bug mostly so that I don't have to re-do the investigation again.
Assignee | ||
Comment 1•11 years ago
|
||
And this was indeed fixed by Steve's virtual fixes.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Target Milestone: --- → mozilla29
Updated•11 years ago
|
Assignee: general → terrence
Updated•11 years ago
|
Whiteboard: [qa-]
You need to log in
before you can comment on or make changes to this bug.
Description
•