Bug 673017 - Fix use of uninitialized data. r=wmccloskey.
authorRafael Ávila de Espíndola <respindola@mozilla.com>
Mon, 29 Aug 2011 13:56:58 -0400
changeset 77501 f092ce58bc204e65f01482da8e4a978cbce00fe3
parent 77500 5e6848a5ca2a26a8266df2a4c10ad5828ddbc1c7
child 77502 ba38da32b8483d359991524a18cc977ec7d6d76e
push id78
push userclegnitto@mozilla.com
push dateFri, 16 Dec 2011 17:32:24 +0000
treeherdermozilla-release@79d24e644fdd [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerswmccloskey
bugs673017
milestone9.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 673017 - Fix use of uninitialized data. r=wmccloskey. The chunk's bitmap was being cleared at the first GC cycle, but it could be read before that. Clear it early to fix that.
js/src/jsgc.cpp
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -334,20 +334,21 @@ Chunk::init(JSRuntime *rt)
         a->aheader.setAsNotAllocated();
         prevp = &a->aheader.next;
     }
     *prevp = NULL;
 
     for (size_t i = 0; i != JS_ARRAY_LENGTH(markingDelay); ++i)
         markingDelay[i].init();
 
-    /*
-     * The rest of info fields is initailzied in PickChunk. We do not clear
-     * the mark bitmap as that is done at the start of the next GC.
-     */
+    /* We clear the bitmap to guard against xpc_IsGrayGCThing being called on
+       uninitialized data, which would happen before the first GC cycle. */
+    bitmap.clear();
+
+    /* The rest of info fields are initialized in PickChunk. */
 }
 
 inline Chunk **
 GetAvailableChunkList(JSCompartment *comp)
 {
     JSRuntime *rt = comp->rt;
     return comp->isSystemCompartment
            ? &rt->gcSystemAvailableChunkListHead