931218 - Handle an exact rooting hazard in stealContents

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Terrence Cole [:terrence]]

Attachment: hazard_stealcontents-v0.diff

This handlifies a few interfaces and adds an assertion that the object we stole the contents from was not in the nursery: writing inlined nursery or nursery allocated ObjectElements into a void* would be super-bad. I have no idea if this assertion is actually valid, but it doesn't fire for me currently in jit-tests --tbpl.

Comment 1

[Steve Fink [:sfink] [:s:]]

Comment on attachment 822566 [details] [diff] [review]
hazard_stealcontents-v0.diff

Review of attachment 822566 [details] [diff] [review]:
-----------------------------------------------------------------

Yeah, I think I left the API as a JSObject* because it gets immediately unwrapped anyway, but if we're handlifying the JSAPI now, then this is good.

There are probably other places you could assert !IsInsideNursery.

Comment 2

[Terrence Cole [:terrence]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/3124171c8f9a

Comment 3

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/3124171c8f9a

Comment 4

[u279076]

(In reply to Phil Ringnalda (:philor) from comment #3)
> https://hg.mozilla.org/mozilla-central/rev/3124171c8f9a

Can you please confirm the target milestone is corect? mozilla-central was Firefox 27 at this time.

Comment 5

[Ryan VanderMeulen [:RyanVM]]

That was the uplift day. It landed after mozilla-central was uplifted to Aurora. In the future, you can confirm this for yourself by noting that revision 3124171c8f9a is not on mozilla-beta.