Bug 1365564 - Fix GCMarker::stackContainsCrossZonePointerTo to check all proxies for cross compartment target objects r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Sat, 27 May 2017 10:52:21 +0200
changeset 409126 d6e64cc963fafad4df113608b2d8d8ae357f6c19
parent 409086 ebad93e117700d8e2d65573b824beb18a8cc2030
child 409127 bf76bce5f85b2f8293b62f683c7415a163f43e7f
push id7391
push usermtabara@mozilla.com
push dateMon, 12 Jun 2017 13:08:53 +0000
treeherdermozilla-beta@2191d7f87e2e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1365564
milestone55.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1365564 - Fix GCMarker::stackContainsCrossZonePointerTo to check all proxies for cross compartment target objects r=sfink
js/src/gc/Marking.cpp
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@@ -2602,21 +2602,26 @@ GCMarker::stackContainsCrossZonePointerT
         if (iter.peekTag() != MarkStack::ObjectTag)
             continue;
 
         auto source = iter.peekPtr().as<JSObject>();
         Zone* sourceZone = source->zone();
         if (sourceZone == targetZone)
             continue;
 
-        if ((IsCrossCompartmentWrapper(source) && source->as<ProxyObject>().target() == target) ||
-            Debugger::isDebuggerCrossCompartmentEdge(source, target))
-        {
+        // The private slot of proxy objects might contain a cross-compartment
+        // pointer.
+        if (source->is<ProxyObject>()) {
+            Value value = source->as<ProxyObject>().private_();
+            if (value.isObject() && &value.toObject() == target)
+                return sourceZone;
+        }
+
+        if (Debugger::isDebuggerCrossCompartmentEdge(source, target))
             return sourceZone;
-        }
     }
 
     return nullptr;
 }
 #endif // DEBUG
 
 
 /*** Tenuring Tracer *****************************************************************************/