Bug 884934 - Fix intermittent SM(r) failure on InitialShapeTable::Ptr; r=sfink
authorTerrence Cole <terrence@mozilla.com>
Wed, 19 Jun 2013 11:09:36 -0700
changeset 147146 61b6312cfab23a38dc75c4ce24570f9f9c881760
parent 147145 d7a1b18447fec42c393aa5e7091b3c9854b21618
child 147147 6d4a482b6aa77194d489ea8f9b483696a2b587c4
push id2697
push userbbajaj@mozilla.com
push dateMon, 05 Aug 2013 18:49:53 +0000
treeherdermozilla-beta@dfec938c7b63 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs884934
milestone24.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 884934 - Fix intermittent SM(r) failure on InitialShapeTable::Ptr; r=sfink In EmptyShape::getInitialShape, the InitialShapeSet::AddPtr is not guarded and will get poisoned by the analysis if the hash happens to look like a GC thing pointer.
js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -1321,16 +1321,17 @@ EmptyShape::getInitialShape(JSContext *c
 
     typedef InitialShapeEntry::Lookup Lookup;
     InitialShapeSet::AddPtr p =
         table.lookupForAdd(Lookup(clasp, proto, parent, metadata, nfixed, objectFlags));
 
     if (p)
         return p->shape;
 
+    SkipRoot skip(cx, &p); /* The hash may look like a GC pointer and get poisoned. */
     Rooted<TaggedProto> protoRoot(cx, proto);
     RootedObject parentRoot(cx, parent);
     RootedObject metadataRoot(cx, metadata);
 
     StackBaseShape base(cx->compartment(), clasp, parent, metadata, objectFlags);
     Rooted<UnownedBaseShape*> nbase(cx, BaseShape::getUnowned(cx, base));
     if (!nbase)
         return NULL;