Closed Bug 929151 Opened 6 years ago Closed 6 years ago

InitialShapeTable hash depends on movable object address

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla27

People

(Reporter: sfink, Assigned: sfink)

References

Details

Attachments

(1 file)

The InitialShapeTable uses a Lookup with an optional 'metadata' field, which may be nursery-allocated. If that moves, the entry will become unfindable.
It seems kind of gross to be calling out to jsfriendapi from jscompartment.cpp. Perhaps I should move the DisableGenerational thing somewhere else.
Attachment #819991 - Flags: review?(terrence)
Blocks: 927204
Comment on attachment 819991 [details] [diff] [review]
Disable GGC when object metadata is used

Review of attachment 819991 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

::: js/src/jscompartment.cpp
@@ +630,5 @@
> +
> +    // Turn off GGC to prevent nursery-allocated metadata from being used
> +    // as a lookup key in InitialShapeTable entries.
> +    if (callback)
> +        JS::DisableGenerationalGC(runtime_);

I guess it's trivial enough that we should probably also allow full removal of the callback:

else
    JS::EnableGenerationalGC(runtime_);

@@ +631,5 @@
> +    // Turn off GGC to prevent nursery-allocated metadata from being used
> +    // as a lookup key in InitialShapeTable entries.
> +    if (callback)
> +        JS::DisableGenerationalGC(runtime_);
> +    objectMetadataCallback = callback;

Lets put a line break above the assignment so that this looks like 3 discreet actions.
Attachment #819991 - Flags: review?(terrence) → review+
Blocks: 929547
https://hg.mozilla.org/mozilla-central/rev/fa13474d7b16
https://hg.mozilla.org/mozilla-central/rev/a2622f851534
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
You need to log in before you can comment on or make changes to this bug.