Bug 1337414 - Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
authorJon Coppeard <jcoppeard@mozilla.com>
Thu, 23 Feb 2017 16:26:14 +0000
changeset 373637 f8c367bec5de25a16bd17a29bbd68ceafa3b0935
parent 373636 8b4e84832765f2334567865541c4fd842b63d8c0
child 373638 942c217ca90d4af830f5bc1bccb807b9c2d5e05b
push id10863
push userjlorenzo@mozilla.com
push dateMon, 06 Mar 2017 23:02:23 +0000
treeherdermozilla-aurora@0931190cd725 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1337414
milestone54.0a1
Bug 1337414 - Don't trace into GC things owned by other runtimes in CheckHeapTracer r=jandem
js/src/gc/Verifier.cpp
js/src/jit-test/tests/gc/bug-1337414.js
--- a/js/src/gc/Verifier.cpp
+++ b/js/src/gc/Verifier.cpp
@@ -3,16 +3,17 @@
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifdef MOZ_VALGRIND
 # include <valgrind/memcheck.h>
 #endif
 
+#include "mozilla/DebugOnly.h"
 #include "mozilla/IntegerPrintfMacros.h"
 #include "mozilla/Sprintf.h"
 
 #include "jscntxt.h"
 #include "jsgc.h"
 #include "jsprf.h"
 
 #include "gc/GCInternals.h"
@@ -297,17 +298,17 @@ CheckEdgeTracer::onChild(const JS::GCCel
             return;
         }
     }
 }
 
 void
 js::gc::AssertSafeToSkipBarrier(TenuredCell* thing)
 {
-    Zone* zone = thing->zoneFromAnyThread();
+    mozilla::DebugOnly<Zone*> zone = thing->zoneFromAnyThread();
     MOZ_ASSERT(!zone->needsIncrementalBarrier() || zone->isAtomsZone());
 }
 
 static bool
 IsMarkedOrAllocated(const EdgeValue& edge)
 {
     if (!edge.thing || IsMarkedOrAllocated(TenuredCell::fromPointer(edge.thing)))
         return true;
@@ -526,16 +527,20 @@ CheckHeapTracer::onChild(const JS::GCCel
             fprintf(stderr, "  from %s %p %s edge\n",
                     GCTraceKindToAscii(cell->getTraceKind()), cell, name);
             name = parent.name;
         }
         fprintf(stderr, "  from root %s\n", name);
         return;
     }
 
+    // Don't trace into GC things owned by another runtime.
+    if (cell->runtimeFromAnyThread() != rt)
+        return;
+
     WorkItem item(thing, contextName(), parentIndex);
     if (!stack.append(item))
         oom = true;
 }
 
 void
 CheckHeapTracer::check(AutoLockForExclusiveAccess& lock)
 {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1337414.js
@@ -0,0 +1,46 @@
+var lfLogBuffer = `
+gczeal(15,10);
+try {
+    a = []
+    gczeal(2, 2)()
+} catch (e) {}
+a.every(function() {})
+//corefuzz-dcd-endofdata
+//corefuzz-dcd-selectmode 5
+`;
+lfLogBuffer = lfLogBuffer.split('\n');
+lfPreamble = `
+`;
+var lfCodeBuffer = "";
+var lfRunTypeLimit = 7;
+var lfOffThreadGlobal = newGlobal();
+try {} catch (lfVare5) {}
+var lfAccumulatedCode = lfPreamble;
+while (true) {
+    var line = lfLogBuffer.shift();
+    if (line == null) {
+        break;
+    } else if (line == "//corefuzz-dcd-endofdata") {
+        loadFile(lfCodeBuffer);
+    } else if (line.indexOf("//corefuzz-dcd-selectmode ") === 0) {
+        loadFile(line);
+    } else {
+        lfCodeBuffer += line + "\n";
+    }
+}
+if (lfCodeBuffer) loadFile(lfCodeBuffer);
+function loadFile(lfVarx) {
+    try {
+        if (lfVarx.indexOf("//corefuzz-dcd-selectmode ") === 0) {
+            lfRunTypeId = parseInt(lfVarx.split(" ")[1]) % lfRunTypeLimit;
+        } else {
+            switch (lfRunTypeId) {
+                case 5:
+                    evalInWorker(lfAccumulatedCode);
+                    evaluate(lfVarx);
+            }
+        }
+    } catch (lfVare) {
+        lfAccumulatedCode += "try { evaluate(`\n" + lfVarx + "\n`); } catch(exc) {}\n";
+    }
+}