Closed Bug 1341752 Opened 7 years ago Closed 7 years ago

js::TraceChildren should assert that it's not called with a GC thing from another runtime

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: jonco, Assigned: pbone)

Details

(Keywords: good-first-bug)

Attachments

(1 file, 2 obsolete files)

patch
3.07 KB, patch
Details | Diff | Splinter Review 
This would help prevent bugs like bug 1337414.
To be more specific, some GC things are allowed to be referenced cross-runtime: permanent atoms, well known symbols and self-hosted data (see IsOwnedByOtherRuntime).  I think this may change in the future with the multi-threaded changes though.

There's also the issue of there being two overloads of TraceChildren.  Everything should be calling the version that takes a GCCellPtr now unless there's some good reason.
Keywords: good-first-bug
Assignee: nobody → pbone
Status: NEW → ASSIGNED
Attached patch patch (obsolete) — Splinter Review 

        Attachment #8870067 -
        Flags: review?(jcoppeard)

    
    

    
  
Comment on attachment 8870067 [details] [diff] [review]
patch

Review of attachment 8870067 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/gc/Marking.cpp
@@ -161,1 @@
>  template <> bool ThingIsPermanentAtomOrWellKnownSymbol<JSString>(JSString* str) {

You'll need to move all the template specialisations to the header file too otherwise the other .cpp file won't see them.

::: js/src/gc/Tracer.cpp
@@ +113,5 @@
>  
>  struct TraceChildrenFunctor {
>      template <typename T>
> +    void operator()(JSTracer* trc, void* _thing) {
> +        T* thing = static_cast<T*>(_thing);

nit: I think we usually use a name like 'thingArg' rather than '_thing' in this case.

        Attachment #8870067 -
        Flags: review?(jcoppeard)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patch (obsolete)
        — Splinter Review
      

    


  

        Attachment #8870067 -
        Attachment is obsolete: true

        Attachment #8870174 -
        Flags: review?(jcoppeard)

    
    

    
  
Comment on attachment 8870174 [details] [diff] [review]
patch

Review of attachment 8870174 [details] [diff] [review]:
-----------------------------------------------------------------

r=me providing the test pass on try.

        Attachment #8870174 -
        Flags: review?(jcoppeard) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  
Updated to fix try failures.

        Attachment #8870174 -
        Attachment is obsolete: true

    
  
Keywords: checkin-needed

    
    

    
  
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/fac6b111e23b
Assert that thing has correct runtime in js::TraceChildren. r=jonco
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/fac6b111e23b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago

          status-firefox55:
          --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: