Bug 899696 - Fix unsafe reference hazard in SendToGenerator; r=sfink
authorTerrence Cole <terrence@mozilla.com>
Tue, 30 Jul 2013 16:29:59 -0700
changeset 140804 6088d570849702e5fea5c2fbebe4c1f726ef57c0
parent 140803 7f01c4bb30e68e2fbcad096f809e55c05c2fd635
child 140805 1d49d7996875ae564a6c6324610a5b1144973b0b
push id25041
push userkwierso@gmail.com
push dateThu, 01 Aug 2013 00:32:15 +0000
treeherdermozilla-central@05d3797276d3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs899696
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 899696 - Fix unsafe reference hazard in SendToGenerator; r=sfink
js/src/jsiter.cpp
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -1537,17 +1537,17 @@ typedef enum JSGeneratorOp {
 } JSGeneratorOp;
 
 /*
  * Start newborn or restart yielding generator and perform the requested
  * operation inside its frame.
  */
 static JSBool
 SendToGenerator(JSContext *cx, JSGeneratorOp op, HandleObject obj,
-                JSGenerator *gen, const Value &arg)
+                JSGenerator *gen, HandleValue arg)
 {
     if (gen->state == JSGEN_RUNNING || gen->state == JSGEN_CLOSING) {
         JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_NESTING_GENERATOR);
         return false;
     }
 
     JSGeneratorState futureState;
     JS_ASSERT(gen->state == JSGEN_NEWBORN || gen->state == JSGEN_OPEN);
@@ -1623,17 +1623,17 @@ CloseGenerator(JSContext *cx, HandleObje
     if (!gen) {
         /* Generator prototype object. */
         return true;
     }
 
     if (gen->state == JSGEN_CLOSED)
         return true;
 
-    return SendToGenerator(cx, JSGENOP_CLOSE, obj, gen, UndefinedValue());
+    return SendToGenerator(cx, JSGENOP_CLOSE, obj, gen, JS::UndefinedHandleValue);
 }
 
 JS_ALWAYS_INLINE bool
 IsGenerator(const Value &v)
 {
     return v.isObject() && v.toObject().is<GeneratorObject>();
 }
 
@@ -1652,21 +1652,18 @@ generator_send_impl(JSContext *cx, CallA
 
     if (gen->state == JSGEN_NEWBORN && args.hasDefined(0)) {
         RootedValue val(cx, args[0]);
         js_ReportValueError(cx, JSMSG_BAD_GENERATOR_SEND,
                             JSDVG_SEARCH_STACK, val, NullPtr());
         return false;
     }
 
-    if (!SendToGenerator(cx, JSGENOP_SEND, thisObj, gen,
-                         args.length() > 0 ? args[0] : UndefinedValue()))
-    {
+    if (!SendToGenerator(cx, JSGENOP_SEND, thisObj, gen, args.get(0)))
         return false;
-    }
 
     args.rval().set(gen->fp->returnValue());
     return true;
 }
 
 JSBool
 generator_send(JSContext *cx, unsigned argc, Value *vp)
 {
@@ -1682,17 +1679,17 @@ generator_next_impl(JSContext *cx, CallA
     RootedObject thisObj(cx, &args.thisv().toObject());
 
     JSGenerator *gen = thisObj->as<GeneratorObject>().getGenerator();
     if (!gen || gen->state == JSGEN_CLOSED) {
         /* This happens when obj is the generator prototype. See bug 352885. */
         return js_ThrowStopIteration(cx);
     }
 
-    if (!SendToGenerator(cx, JSGENOP_NEXT, thisObj, gen, UndefinedValue()))
+    if (!SendToGenerator(cx, JSGENOP_NEXT, thisObj, gen, JS::UndefinedHandleValue))
         return false;
 
     args.rval().set(gen->fp->returnValue());
     return true;
 }
 
 JSBool
 generator_next(JSContext *cx, unsigned argc, Value *vp)
@@ -1710,21 +1707,18 @@ generator_throw_impl(JSContext *cx, Call
 
     JSGenerator *gen = thisObj->as<GeneratorObject>().getGenerator();
     if (!gen || gen->state == JSGEN_CLOSED) {
         /* This happens when obj is the generator prototype. See bug 352885. */
         cx->setPendingException(args.length() >= 1 ? args[0] : UndefinedValue());
         return false;
     }
 
-    if (!SendToGenerator(cx, JSGENOP_THROW, thisObj, gen,
-                         args.length() > 0 ? args[0] : UndefinedValue()))
-    {
+    if (!SendToGenerator(cx, JSGENOP_THROW, thisObj, gen, args.get(0)))
         return false;
-    }
 
     args.rval().set(gen->fp->returnValue());
     return true;
 }
 
 JSBool
 generator_throw(JSContext *cx, unsigned argc, Value *vp)
 {
@@ -1747,17 +1741,17 @@ generator_close_impl(JSContext *cx, Call
     }
 
     if (gen->state == JSGEN_NEWBORN) {
         SetGeneratorClosed(cx, gen);
         args.rval().setUndefined();
         return true;
     }
 
-    if (!SendToGenerator(cx, JSGENOP_CLOSE, thisObj, gen, UndefinedValue()))
+    if (!SendToGenerator(cx, JSGENOP_CLOSE, thisObj, gen, JS::UndefinedHandleValue))
         return false;
 
     args.rval().set(gen->fp->returnValue());
     return true;
 }
 
 JSBool
 generator_close(JSContext *cx, unsigned argc, Value *vp)