Bug 1155985 - Set FieldInto::mType just before storing to reserved slot. r=jonco, a=abillings,lizzard
authorTooru Fujisawa <arai_a@mac.com>
Wed, 22 Apr 2015 23:59:01 +0900
changeset 266176 04e07d5a9b00
parent 266175 05122c19b3d7
child 266177 499efe6e8a4b
push id4775
push userarai_a@mac.com
push date2015-06-03 20:09 +0000
treeherdermozilla-beta@04e07d5a9b00 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco, abillings, lizzard
bugs1155985
milestone39.0
Bug 1155985 - Set FieldInto::mType just before storing to reserved slot. r=jonco, a=abillings,lizzard
js/src/ctypes/CTypes.cpp
js/src/jit-test/tests/ctypes/bug1155985.js
--- a/js/src/ctypes/CTypes.cpp
+++ b/js/src/ctypes/CTypes.cpp
@@ -4940,17 +4940,17 @@ StructType::DefineInternal(JSContext* cx
       // checking fieldOffset for overflow.
       if (fieldOffset + fieldSize < structSize) {
         JS_ReportError(cx, "size overflow");
         return false;
       }
 
       // Add field name to the hash
       FieldInfo info;
-      info.mType = fieldType;
+      info.mType = nullptr; // Value of fields are not yet traceable here.
       info.mIndex = i;
       info.mOffset = fieldOffset;
       ASSERT_OK(fields->add(entryPtr, name, info));
       JS_StoreStringPostBarrierCallback(cx, PostBarrierCallback, name, fields.get());
 
       structSize = fieldOffset + fieldSize;
 
       if (fieldAlign > structAlign)
@@ -4973,16 +4973,22 @@ StructType::DefineInternal(JSContext* cx
     structSize = 1;
     structAlign = 1;
   }
 
   RootedValue sizeVal(cx);
   if (!SizeTojsval(cx, structSize, &sizeVal))
     return false;
 
+  for (FieldInfoHash::Range r = fields->all(); !r.empty(); r.popFront()) {
+    FieldInfo& field = r.front().value();
+    MOZ_ASSERT(field.mIndex < fieldRoots.length());
+    field.mType = &fieldRoots[field.mIndex].toObject();
+  }
+
   JS_SetReservedSlot(typeObj, SLOT_FIELDINFO, PRIVATE_TO_JSVAL(fields.release()));
 
   JS_SetReservedSlot(typeObj, SLOT_SIZE, sizeVal);
   JS_SetReservedSlot(typeObj, SLOT_ALIGN, INT_TO_JSVAL(structAlign));
   //if (!JS_FreezeObject(cx, prototype)0 // XXX fixme - see bug 541212!
   //  return false;
   JS_SetReservedSlot(typeObj, SLOT_PROTO, OBJECT_TO_JSVAL(prototype));
   return true;
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/ctypes/bug1155985.js
@@ -0,0 +1,14 @@
+function test() {
+  for (let i = 0; i < 100; i++) {
+    let test_struct = ctypes.StructType("test_struct", [{ "x": ctypes.int32_t },
+                                                        { "bar": ctypes.uint32_t }]);
+
+    try {
+      new test_struct("foo", "x");
+    } catch (e) {
+    }
+  }
+}
+
+if (typeof ctypes === "object")
+  test();