Bug 733372 - Fix an infinite recursion in GC marking; r=billm
authorTerrence Cole <terrence@mozilla.com>
Tue, 06 Mar 2012 11:44:34 -0800
changeset 88325 78e56fd22f2a9b424865dd62b1de528e6e1d397d
parent 88324 75fcd465d5064f8d00c7c04f76434806b3c5b2cb
child 88326 7392246c7a3a8601f6c5987102fe1c78d196552f
push id22191
push usertcole@mozilla.com
push dateTue, 06 Mar 2012 19:45:00 +0000
treeherdermozilla-central@78e56fd22f2a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs733372
milestone13.0a1
first release with
nightly linux32
78e56fd22f2a / 13.0a1 / 20120307031051 / files
nightly linux64
78e56fd22f2a / 13.0a1 / 20120307031051 / files
nightly mac
78e56fd22f2a / 13.0a1 / 20120307031051 / files
nightly win32
78e56fd22f2a / 13.0a1 / 20120307031051 / files
nightly win64
78e56fd22f2a / 13.0a1 / 20120307031051 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 733372 - Fix an infinite recursion in GC marking; r=billm Since the private data is sometimes packed in strange ways into the underlying structure, we cannot just pass a reference to it to the marker. Instead, we store the gotten value on the C stack, do marking and potentially update its value there, then pass the updated privates location to the object using setPrivate. If the setPrivate function triggers write barriers that end up marking, this can recurse. For now we should simply not do this.
js/src/jsapi.cpp
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -4262,17 +4262,17 @@ prop_iter_trace(JSTracer *trc, JSObject 
     if (obj->getSlot(JSSLOT_ITER_INDEX).toInt32() < 0) {
         /*
          * Native case: just mark the next property to visit. We don't need a
          * barrier here because the pointer is updated via setPrivate, which
          * always takes a barrier.
          */
         Shape *tmp = (Shape *)pdata;
         MarkShapeUnbarriered(trc, &tmp, "prop iter shape");
-        obj->setPrivate(tmp);
+        JS_ASSERT(tmp == pdata);
     } else {
         /* Non-native case: mark each id in the JSIdArray private. */
         JSIdArray *ida = (JSIdArray *) pdata;
         MarkIdRange(trc, ida->length, ida->vector, "prop iter");
     }
 }
 
 static Class prop_iter_class = {