Bug 1337414 - Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 23 Feb 2017 16:26:14 +0000
changeset 344610 f8c367bec5de25a16bd17a29bbd68ceafa3b0935
parent 344609 8b4e84832765f2334567865541c4fd842b63d8c0
child 344611 942c217ca90d4af830f5bc1bccb807b9c2d5e05b
push id31414
push usercbook@mozilla.com
push dateFri, 24 Feb 2017 10:47:41 +0000
treeherdermozilla-central@be661bae6cb9 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1337414
milestone54.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1337414 - Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
js/src/gc/Verifier.cpp
js/src/jit-test/tests/gc/bug-1337414.js
--- a/js/src/gc/Verifier.cpp
+++ b/js/src/gc/Verifier.cpp
@@ -3,16 +3,17 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_VALGRIND
 # include <valgrind/memcheck.h>
 #endif
 
+#include "mozilla/DebugOnly.h"
 #include "mozilla/IntegerPrintfMacros.h"
 #include "mozilla/Sprintf.h"
 
 #include "jscntxt.h"
 #include "jsgc.h"
 #include "jsprf.h"
 
 #include "gc/GCInternals.h"
@@ -297,17 +298,17 @@ CheckEdgeTracer::onChild(const JS::GCCel
             return;
         }
     }
 }
 
 void
 js::gc::AssertSafeToSkipBarrier(TenuredCell* thing)
 {
-    Zone* zone = thing->zoneFromAnyThread();
+    mozilla::DebugOnly<Zone*> zone = thing->zoneFromAnyThread();
     MOZ_ASSERT(!zone->needsIncrementalBarrier() || zone->isAtomsZone());
 }
 
 static bool
 IsMarkedOrAllocated(const EdgeValue& edge)
 {
     if (!edge.thing || IsMarkedOrAllocated(TenuredCell::fromPointer(edge.thing)))
         return true;
@@ -526,16 +527,20 @@ CheckHeapTracer::onChild(const JS::GCCel
             fprintf(stderr, "  from %s %p %s edge\n",
                     GCTraceKindToAscii(cell->getTraceKind()), cell, name);
             name = parent.name;
         }
         fprintf(stderr, "  from root %s\n", name);
         return;
     }
 
+    // Don't trace into GC things owned by another runtime.
+    if (cell->runtimeFromAnyThread() != rt)
+        return;
+
     WorkItem item(thing, contextName(), parentIndex);
     if (!stack.append(item))
         oom = true;
 }
 
 void
 CheckHeapTracer::check(AutoLockForExclusiveAccess& lock)
 {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1337414.js
@@ -0,0 +1,46 @@
+var lfLogBuffer = `
+gczeal(15,10);
+try {
+    a = []
+    gczeal(2, 2)()
+} catch (e) {}
+a.every(function() {})
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-selectmode 5
+`;
+lfLogBuffer = lfLogBuffer.split('\n');
+lfPreamble = `
+`;
+var lfCodeBuffer = "";
+var lfRunTypeLimit = 7;
+var lfOffThreadGlobal = newGlobal();
+try {} catch (lfVare5) {}
+var lfAccumulatedCode = lfPreamble;
+while (true) {
+    var line = lfLogBuffer.shift();
+    if (line == null) {
+        break;
+    } else if (line == "//corefuzz-dcd-endofdata") {
+        loadFile(lfCodeBuffer);
+    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
+        loadFile(line);
+    } else {
+        lfCodeBuffer += line + "\n";
+    }
+}
+if (lfCodeBuffer) loadFile(lfCodeBuffer);
+function loadFile(lfVarx) {
+    try {
+        if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
+            lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % lfRunTypeLimit;
+        } else {
+            switch (lfRunTypeId) {
+                case 5:
+                    evalInWorker(lfAccumulatedCode);
+                    evaluate(lfVarx);
+            }
+        }
+    } catch (lfVare) {
+        lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`); } catch(exc) {}\n";
+    }
+}