Bug 794214 - Avoid putting poisoned pointer into type->newScript. r=billm
authorSteve Fink <sfink@mozilla.com>
Tue, 25 Sep 2012 13:48:40 -0700
changeset 109457 b118ae06adeb7fc0bb775aa1d2e62e6e68944362
parent 109456 9adf5ca922a41034c2813b89675d0070c2316c67
child 109458 e51d8558ad641e9fff3e10e20384a2f365c8a9f9
push id23630
push useremorley@mozilla.com
push dateSat, 06 Oct 2012 19:35:27 +0000
treeherdermozilla-central@9f677c2bb33d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs794214
milestone18.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 794214 - Avoid putting poisoned pointer into type->newScript. r=billm
js/src/jsinfer.cpp
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -4953,17 +4953,27 @@ CheckNewScriptProperties(JSContext *cx, 
         !type->addDefiniteProperties(cx, baseobj) ||
         !initializerList.append(done)) {
         cx->compartment->types.setPendingNukeTypes(cx);
         return;
     }
 
     size_t numBytes = sizeof(TypeNewScript)
                     + (initializerList.length() * sizeof(TypeNewScript::Initializer));
+#ifdef JSGC_ROOT_ANALYSIS
+    // calloc can legitimately return a pointer that appears to be poisoned.
+    void *p;
+    do {
+        p = cx->calloc_(numBytes);
+    } while (IsPoisonedPtr(p));
+    type->newScript = (TypeNewScript *) p;
+#else
     type->newScript = (TypeNewScript *) cx->calloc_(numBytes);
+#endif
+
     if (!type->newScript) {
         cx->compartment->types.setPendingNukeTypes(cx);
         return;
     }
 
     type->newScript->fun = fun;
     type->newScript->allocKind = kind;
     type->newScript->shape = baseobj->lastProperty();