Bug 1548793 - Add some more assertions when creating ProxyObjects r=jandem?
authorJon Coppeard <jcoppeard@mozilla.com>
Fri, 03 May 2019 11:19:09 +0000
changeset 472868 2a8d60898476d96040ed1a64f43ab4502d70a806
parent 472867 58322f42c74dec1aa92fed28f43e7b44af2b9e4e
child 472869 b840fb920d287edc9b2fb6b35e20b5bb18d5236f
push id35980
push usershindli@mozilla.com
push dateTue, 07 May 2019 14:47:21 +0000
treeherdermozilla-central@882bba44f789 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1548793
milestone68.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1548793 - Add some more assertions when creating ProxyObjects r=jandem? Differential Revision: https://phabricator.services.mozilla.com/D29806
js/src/proxy/Proxy.cpp
js/src/vm/ProxyObject.cpp
--- a/js/src/proxy/Proxy.cpp
+++ b/js/src/proxy/Proxy.cpp
@@ -767,16 +767,22 @@ const ObjectOps js::ProxyObjectOps = {
 const Class js::ProxyClass =
     PROXY_CLASS_DEF("Proxy", JSCLASS_HAS_CACHED_PROTO(JSProto_Proxy) |
                                  JSCLASS_HAS_RESERVED_SLOTS(2));
 
 JS_FRIEND_API JSObject* js::NewProxyObject(JSContext* cx,
                                            const BaseProxyHandler* handler,
                                            HandleValue priv, JSObject* proto_,
                                            const ProxyOptions& options) {
+  AssertHeapIsIdle();
+  CHECK_THREAD(cx);
+  if (proto_ != TaggedProto::LazyProto) {
+    cx->check(proto_); // |priv| might be cross-compartment.
+  }
+
   if (options.lazyProto()) {
     MOZ_ASSERT(!proto_);
     proto_ = TaggedProto::LazyProto;
   }
 
   return ProxyObject::New(cx, handler, priv, TaggedProto(proto_), options);
 }
 
--- a/js/src/vm/ProxyObject.cpp
+++ b/js/src/vm/ProxyObject.cpp
@@ -183,20 +183,24 @@ void ProxyObject::nuke() {
       return cx->alreadyReportedOOM();
     }
 
     shape = EmptyShape::getInitialShape(cx, clasp, proto, /* nfixed = */ 0);
     if (!shape) {
       return cx->alreadyReportedOOM();
     }
 
-    MOZ_ASSERT(group->realm() == realm);
     realm->newProxyCache.add(group, shape);
   }
 
+  MOZ_ASSERT(group->realm() == realm);
+  MOZ_ASSERT(shape->zone() == cx->zone());
+  MOZ_ASSERT(!IsAboutToBeFinalizedUnbarriered(group.address()));
+  MOZ_ASSERT(!IsAboutToBeFinalizedUnbarriered(shape.address()));
+
   gc::InitialHeap heap = GetInitialHeap(newKind, group);
   debugCheckNewObject(group, shape, allocKind, heap);
 
   JSObject* obj =
       js::AllocateObject(cx, allocKind, /* nDynamicSlots = */ 0, heap, clasp);
   if (!obj) {
     return cx->alreadyReportedOOM();
   }