Bug 1399866 - Trigger global's read barrier in js::NewProxyObject r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Wed, 16 Oct 2019 17:04:32 +0000
changeset 559239 cec21bd2065865bc33b84e3c6b65e7a65ef3b6ea
parent 559238 2c962324e4a04279bbbfdc1d53e2fee8ce66c1cf
child 559240 0f2ab1f1dc330bbc931935d1167be2850a773a62
push id12175
push userccoroiu@mozilla.com
push dateThu, 17 Oct 2019 19:29:09 +0000
treeherdermozilla-beta@d333b6ef1fd3 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1399866
milestone71.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1399866 - Trigger global's read barrier in js::NewProxyObject r=sfink When remapping wrappers the embedding can call this to create a new proxy object while in a realm whose global is gray. This breaks the JS API invariants and can cause black to gray GC edges to be creaated. Fix this by triggering the global's read barrier here. Differential Revision: https://phabricator.services.mozilla.com/D49430
js/src/proxy/Proxy.cpp
--- a/js/src/proxy/Proxy.cpp
+++ b/js/src/proxy/Proxy.cpp
@@ -770,16 +770,22 @@ const JSClass js::ProxyClass =
                                  JSCLASS_HAS_RESERVED_SLOTS(2));
 
 JS_FRIEND_API JSObject* js::NewProxyObject(JSContext* cx,
                                            const BaseProxyHandler* handler,
                                            HandleValue priv, JSObject* proto_,
                                            const ProxyOptions& options) {
   AssertHeapIsIdle();
   CHECK_THREAD(cx);
+
+  // This can be called from the compartment wrap hooks while in a realm with a
+  // gray global. Trigger the read barrier on the global to ensure this is
+  // unmarked.
+  cx->realm()->maybeGlobal();
+
   if (proto_ != TaggedProto::LazyProto) {
     cx->check(proto_);  // |priv| might be cross-compartment.
   }
 
   if (options.lazyProto()) {
     MOZ_ASSERT(!proto_);
     proto_ = TaggedProto::LazyProto;
   }