bug 478336 - fixing rt->state/rt->contextList mutation race. r=brendan
authorIgor Bukanov <igor@mir2.org>
Wed, 11 Mar 2009 11:54:49 +0100
changeset 26058 e0a0a14fd1d362b6a1f138996960cfab1c7a21fa
parent 26037 11e02710ebfa15ea0a7fd2038d869084b5757dc2
child 26059 d6c7c044e927e7cf3166803db15db212f1e78148
push id5877
push userrsayre@mozilla.com
push dateWed, 11 Mar 2009 21:44:17 +0000
treeherdermozilla-central@fbbc3d6c9f31 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbrendan
bugs478336
milestone1.9.2a1pre
bug 478336 - fixing rt->state/rt->contextList mutation race. r=brendan
js/src/jscntxt.cpp
--- a/js/src/jscntxt.cpp
+++ b/js/src/jscntxt.cpp
@@ -296,26 +296,28 @@ js_NewContext(JSRuntime *rt, size_t stac
                        1024,  /* FIXME: bug 421435 */
                        sizeof(jsdouble), &cx->scriptStackQuota);
 
     js_InitRegExpStatics(cx);
     JS_ASSERT(cx->resolveFlags == 0);
 
     JS_LOCK_GC(rt);
     for (;;) {
-        first = (rt->contextList.next == &rt->contextList);
+        /*
+         * Ensure that we don't race with the GC on other threads, bug 478336.
+         */
+        js_WaitForGC(rt);
         if (rt->state == JSRTS_UP) {
-            JS_ASSERT(!first);
-
-            /* Ensure that it is safe to update rt->contextList below. */
-            js_WaitForGC(rt);
+            JS_ASSERT(!JS_CLIST_IS_EMPTY(&rt->contextList));
+            first = JS_FALSE;
             break;
         }
         if (rt->state == JSRTS_DOWN) {
-            JS_ASSERT(first);
+            JS_ASSERT(JS_CLIST_IS_EMPTY(&rt->contextList));
+            first = JS_TRUE;
             rt->state = JSRTS_LAUNCHING;
             break;
         }
         JS_WAIT_CONDVAR(rt->stateChange, JS_NO_TIMEOUT);
     }
     JS_APPEND_LINK(&cx->link, &rt->contextList);
     JS_UNLOCK_GC(rt);