Bug 794214 - Avoid putting poisoned pointer into type->newScript. r=billm
authorSteve Fink <sfink@mozilla.com>
Tue, 25 Sep 2012 13:48:40 -0700
changeset 109436 b118ae06adeb7fc0bb775aa1d2e62e6e68944362
parent 109435 9adf5ca922a41034c2813b89675d0070c2316c67
child 109437 e51d8558ad641e9fff3e10e20384a2f365c8a9f9
push id16028
push usersfink@mozilla.com
push dateFri, 05 Oct 2012 20:32:25 +0000
treeherdermozilla-inbound@a195554cc7f6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs794214
milestone18.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 794214 - Avoid putting poisoned pointer into type->newScript. r=billm
js/src/jsinfer.cpp
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -4953,17 +4953,27 @@ CheckNewScriptProperties(JSContext *cx, 
         !type->addDefiniteProperties(cx, baseobj) ||
         !initializerList.append(done)) {
         cx->compartment->types.setPendingNukeTypes(cx);
         return;
     }
 
     size_t numBytes = sizeof(TypeNewScript)
                     + (initializerList.length() * sizeof(TypeNewScript::Initializer));
+#ifdef JSGC_ROOT_ANALYSIS
+    // calloc can legitimately return a pointer that appears to be poisoned.
+    void *p;
+    do {
+        p = cx->calloc_(numBytes);
+    } while (IsPoisonedPtr(p));
+    type->newScript = (TypeNewScript *) p;
+#else
     type->newScript = (TypeNewScript *) cx->calloc_(numBytes);
+#endif
+
     if (!type->newScript) {
         cx->compartment->types.setPendingNukeTypes(cx);
         return;
     }
 
     type->newScript->fun = fun;
     type->newScript->allocKind = kind;
     type->newScript->shape = baseobj->lastProperty();