Luke pointed out to me that our pointers in Value come from the GC allocator only. This goes through the js::gc::Chunk allocator in [1]. As long as we continue to control the mappings there we should be fine. [1] https://searchfox.org/mozilla-central/rev/3811b11b5773c1dccfe8228bfc7143b10a9a2a99/js/src/gc/Allocator.cpp#824
Bug 1612057 Comment 3 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Luke pointed out to me that our pointers in Value come from the GC allocator only. This goes through the js::gc::Chunk allocator in [1]. As long as we continue to control the mappings there we should be fine. See [2] for a more involved explanation of these concerns. That jemalloc comment is probably out-dated and maybe we should remove it. [1] https://searchfox.org/mozilla-central/rev/3811b11b5773c1dccfe8228bfc7143b10a9a2a99/js/src/gc/Allocator.cpp#824 [2] https://searchfox.org/mozilla-central/rev/3811b11b5773c1dccfe8228bfc7143b10a9a2a99/js/src/gc/Memory.cpp#83-105