GC: missing barrier in JSFunction clone

RESOLVED FIXED in mozilla12

Status

()

Core
JavaScript Engine
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: terrence, Assigned: terrence)

Tracking

Trunk
mozilla12
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

6 years ago
Created attachment 583328 [details] [diff] [review]
v1

When we clone a function, we need post barriers after assigning the internal JSScript and JSObject pointers into the new object.
Attachment #583328 - Flags: review?(wmccloskey)
(Assignee)

Comment 1

6 years ago
Created attachment 583343 [details] [diff] [review]
v2

Much more elegant with Bill's IRL feedback.
Assignee: general → terrence
Attachment #583328 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #583328 - Flags: review?(wmccloskey)
Attachment #583343 - Flags: review?(wmccloskey)
Comment on attachment 583343 [details] [diff] [review]
v2

Review of attachment 583343 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +2199,5 @@
>  
>      clone->nargs = fun->nargs;
>      clone->flags = fun->flags & ~JSFUN_EXTENDED;
> +    if (fun->isInterpreted()) {
> +        clone->initScript(fun->u.i.script_);

Please change fun->u.i.script_ to fun->script(). Otherwise it looks good.
Attachment #583343 - Flags: review?(wmccloskey) → review+
(Assignee)

Comment 3

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/a51c0f8b8be1

Comment 4

6 years ago
https://hg.mozilla.org/mozilla-central/rev/a51c0f8b8be1
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
You need to log in before you can comment on or make changes to this bug.