Fix crashes caused by wrap() call triggering GC in JitActivation constructor

RESOLVED FIXED in Firefox 45

Status

()

RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: jandem, Assigned: jandem)

Tracking

unspecified
mozilla45
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox45 fixed)

Details

Attachments

(1 attachment)

(Assignee)

Description

3 years ago
We have a lot of intermittent oranges (bug 1224831, 1223508, etc) in GC code marking JitActivations.

The problem is JitActivation's constructor calling JSCompartment::wrap(), which can trigger GC, while the stack is in an invalid state between the constructor linking the activation and entering JIT code.
(Assignee)

Updated

3 years ago
Blocks: 1224831, 1223508
(Assignee)

Comment 1

3 years ago
Created attachment 8688060 [details] [diff] [review]
Patch

This patch moves the AutoEntryMonitor code out of Activation and into a new class, ActivationEntryMonitor.

This way, we call compartment->wrap() before we start modifying the activation list etc.

I considered using AutoSuppressGC instead of this, but it's possible we'll end up walking the stack for other reasons, so just moving the code out of the constructor seemed safest.
Attachment #8688060 - Flags: review?(nfitzgerald)
Attachment #8688060 - Flags: review?(nfitzgerald) → review+
Blocks: 1225375
Blocks: 1225379

Comment 3

3 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1a6bb31af78a
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
status-firefox45: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla45
You need to log in before you can comment on or make changes to this bug.