Bug 798678 - WeakMaps with keys from another compartment are possible and incorrect (tests) (r=mccr8)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 21 Apr 2014 13:41:44 -0700
changeset 197960 bdf89c9285437c7185544abecf1bb4fde6b0319b
parent 197959 b2a47bd7d0df3a65ec0057e0c9625adf4a0417ec
child 197961 756d9a976d8568fa2e342ec6f4cc5285395630cb
push id3624
push userasasaki@mozilla.com
push dateMon, 09 Jun 2014 21:49:01 +0000
treeherdermozilla-beta@b1a5da15899a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmccr8
bugs798678
milestone31.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 798678 - WeakMaps with keys from another compartment are possible and incorrect (tests) (r=mccr8)
js/src/gc/Heap.h
js/src/jit-test/tests/basic/bug798678.js
--- a/js/src/gc/Heap.h
+++ b/js/src/gc/Heap.h
@@ -967,17 +967,17 @@ ArenaHeader::unsetAllocDuringSweep()
     auxNextLink = 0;
 }
 
 static void
 AssertValidColor(const void *thing, uint32_t color)
 {
 #ifdef DEBUG
     ArenaHeader *aheader = reinterpret_cast<const Cell *>(thing)->arenaHeader();
-    JS_ASSERT_IF(color, color < aheader->getThingSize() / CellSize);
+    JS_ASSERT(color < aheader->getThingSize() / CellSize);
 #endif
 }
 
 inline ArenaHeader *
 Cell::arenaHeader() const
 {
     JS_ASSERT(isTenured());
     uintptr_t addr = address();
@@ -1010,16 +1010,17 @@ Cell::shadowRuntimeFromAnyThread() const
 {
     return reinterpret_cast<JS::shadow::Runtime*>(runtimeFromAnyThread());
 }
 
 bool
 Cell::isMarked(uint32_t color /* = BLACK */) const
 {
     JS_ASSERT(isTenured());
+    JS_ASSERT(arenaHeader()->allocated());
     AssertValidColor(this, color);
     return chunk()->bitmap.isMarked(this, color);
 }
 
 bool
 Cell::markIfUnmarked(uint32_t color /* = BLACK */) const
 {
     JS_ASSERT(isTenured());
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug798678.js
@@ -0,0 +1,10 @@
+var w = new WeakMap();
+var g = newGlobal();
+var k = g.eval('for (var i=0; i<100; i++) new Object(); var q = new Object(); q');
+w.set(k, {});
+k = null;
+
+gc();
+g.eval('q = null');
+gc(g);
+gc();