Bug 1456508 - Fix conflict between gray buffer canary value and incremental marking validation r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Mon, 30 Apr 2018 10:23:39 +0100
changeset 469814 13ec6c3b62f0591e37faf6dfa60d48a1817f2258
parent 469813 9263b4c0044716e788fa6f6097c305501cb12faa
child 469815 0f779e591907158fe78d0bb6ddd99c8fb227ab92
push id9179
push userarchaeopteryx@coole-files.de
push dateThu, 03 May 2018 15:28:18 +0000
treeherdermozilla-beta@e6f9ade8bca7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1456508
milestone61.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1456508 - Fix conflict between gray buffer canary value and incremental marking validation r=sfink
js/src/gc/RootMarking.cpp
js/src/jit-test/tests/gc/bug-1456508.js
--- a/js/src/gc/RootMarking.cpp
+++ b/js/src/gc/RootMarking.cpp
@@ -534,22 +534,22 @@ GCRuntime::markBufferedGrayRoots(JS::Zon
 {
     MOZ_ASSERT(grayBufferState == GrayBufferState::Okay);
     MOZ_ASSERT(zone->isGCMarkingGray() || zone->isGCCompacting());
 
     auto& roots = zone->gcGrayRoots();
     if (roots.empty())
         return;
 
-    // Check for and remove canary value.
+    // Check for canary value but don't remove it.
     MOZ_RELEASE_ASSERT(roots.length() > 1);
     MOZ_RELEASE_ASSERT(roots.back() == GrayBufferCanary);
-    roots.popBack();
 
-    for (auto cell : zone->gcGrayRoots()) {
+    for (size_t i = 0; i < roots.length() - 1; i++) {
+        Cell* cell = roots[i];
         MOZ_ASSERT(IsCellPointerValid(cell));
         TraceManuallyBarrieredGenericPointerEdge(&marker, &cell, "buffered gray root");
     }
 }
 
 void
 GCRuntime::resetBufferedGrayRoots() const
 {
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1456508.js
@@ -0,0 +1,4 @@
+// |jit-test| error: ReferenceError
+gczeal(11, 5);
+gczeal(22, 9);
+grayRoot().map = wm;