Bug 1133909 - Fix hazards revealed by adding in new GCPointers. r=terrence, a=lmandel
authorSteve Fink <sfink@mozilla.com>
Tue, 24 Feb 2015 09:37:13 -0800
changeset 250146 3a352baeeca4
parent 250145 bc3e9b98d90f
child 250147 d5def3938b6e
push id4513
push userryanvm@gmail.com
push date2015-03-02 19:36 +0000
treeherdermozilla-beta@824656d7ad0d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence, lmandel
bugs1133909
milestone37.0
Bug 1133909 - Fix hazards revealed by adding in new GCPointers. r=terrence, a=lmandel
js/src/builtin/SymbolObject.cpp
js/src/builtin/SymbolObject.h
js/src/irregexp/RegExpEngine.cpp
js/src/jit/ExecutableAllocator.h
js/src/jsobj.cpp
--- a/js/src/builtin/SymbolObject.cpp
+++ b/js/src/builtin/SymbolObject.cpp
@@ -24,17 +24,17 @@ const Class SymbolObject::class_ = {
     nullptr, /* getProperty */
     nullptr, /* setProperty */
     nullptr, /* enumerate */
     nullptr, /* resolve */
     convert
 };
 
 SymbolObject *
-SymbolObject::create(JSContext *cx, JS::Symbol *symbol)
+SymbolObject::create(JSContext *cx, JS::HandleSymbol symbol)
 {
     JSObject *obj = NewBuiltinClassInstance(cx, &class_);
     if (!obj)
         return nullptr;
     SymbolObject &symobj = obj->as<SymbolObject>();
     symobj.setPrimitiveValue(symbol);
     return &symobj;
 }
--- a/js/src/builtin/SymbolObject.h
+++ b/js/src/builtin/SymbolObject.h
@@ -23,17 +23,17 @@ class SymbolObject : public NativeObject
     static const Class class_;
 
     static JSObject *initClass(JSContext *cx, js::HandleObject obj);
 
     /*
      * Creates a new Symbol object boxing the given primitive Symbol.  The
      * object's [[Prototype]] is determined from context.
      */
-    static SymbolObject *create(JSContext *cx, JS::Symbol *symbol);
+    static SymbolObject *create(JSContext *cx, JS::HandleSymbol symbol);
 
     JS::Symbol *unbox() const {
         return getFixedSlot(PRIMITIVE_VALUE_SLOT).toSymbol();
     }
 
   private:
     inline void setPrimitiveValue(JS::Symbol *symbol) {
         setFixedSlot(PRIMITIVE_VALUE_SLOT, SymbolValue(symbol));
--- a/js/src/irregexp/RegExpEngine.cpp
+++ b/js/src/irregexp/RegExpEngine.cpp
@@ -1607,18 +1607,18 @@ RegExpCompiler::Assemble(JSContext *cx,
     while (!work_list_.empty())
         work_list_.popCopy()->Emit(this, &new_trace);
 
     RegExpCode code = macro_assembler_->GenerateCode(cx, match_only_);
     if (code.empty())
         return RegExpCode();
 
     if (reg_exp_too_big_) {
+        code.destroy();
         JS_ReportError(cx, "regexp too big");
-        code.destroy();
         return RegExpCode();
     }
 
     return code;
 }
 
 template <typename CharT>
 static void
--- a/js/src/jit/ExecutableAllocator.h
+++ b/js/src/jit/ExecutableAllocator.h
@@ -28,16 +28,17 @@
 
 #include <limits>
 #include <stddef.h> // for ptrdiff_t
 
 #include "jsalloc.h"
 
 #include "jit/arm/Simulator-arm.h"
 #include "jit/mips/Simulator-mips.h"
+#include "js/GCAPI.h"
 #include "js/HashTable.h"
 #include "js/Vector.h"
 
 #ifdef JS_CPU_SPARC
 #ifdef __linux__  // bugzilla 502369
 static void sync_instruction_memory(caddr_t v, u_int len)
 {
     caddr_t end = v + len;
@@ -241,18 +242,21 @@ public:
         // (found, or created if necessary) a pool that had enough space.
         void *result = (*poolp)->alloc(n, type);
         MOZ_ASSERT(result);
         return result;
     }
 
     void releasePoolPages(ExecutablePool *pool) {
         MOZ_ASSERT(pool->m_allocation.pages);
-        if (destroyCallback)
+        if (destroyCallback) {
+            // Do not allow GC during the page release callback.
+            JS::AutoSuppressGCAnalysis nogc;
             destroyCallback(pool->m_allocation.pages, pool->m_allocation.size);
+        }
         systemRelease(pool->m_allocation);
         MOZ_ASSERT(m_pools.initialized());
         m_pools.remove(m_pools.lookup(pool));   // this asserts if |pool| is not in m_pools
     }
 
     void addSizeOfCode(JS::CodeSizes *sizes) const;
 
     void setDestroyCallback(DestroyCallback destroyCallback) {
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -3586,17 +3586,18 @@ js::PrimitiveToObject(JSContext *cx, con
         Rooted<JSString*> str(cx, v.toString());
         return StringObject::create(cx, str);
     }
     if (v.isNumber())
         return NumberObject::create(cx, v.toNumber());
     if (v.isBoolean())
         return BooleanObject::create(cx, v.toBoolean());
     MOZ_ASSERT(v.isSymbol());
-    return SymbolObject::create(cx, v.toSymbol());
+    RootedSymbol symbol(cx, v.toSymbol());
+    return SymbolObject::create(cx, symbol);
 }
 
 /*
  * Invokes the ES5 ToObject algorithm on vp, returning the result. If vp might
  * already be an object, use ToObject. reportCantConvert controls how null and
  * undefined errors are reported.
  *
  * Callers must handle the already-object case.