Bug 831733 - GC: Transplant jsapi test (testBug604087) fails with rooting analysis r=billm

This commit is contained in:
Jon Coppeard 2013-01-17 10:09:14 +00:00
parent ebb1a78cb9
commit 82af8dd2b4
2 changed files with 15 additions and 7 deletions

View File

@ -20,6 +20,7 @@
#include "assembler/wtf/Platform.h" #include "assembler/wtf/Platform.h"
#include "gc/Marking.h" #include "gc/Marking.h"
#include "gc/Root.h"
#include "js/MemoryMetrics.h" #include "js/MemoryMetrics.h"
#include "methodjit/MethodJIT.h" #include "methodjit/MethodJIT.h"
#include "methodjit/PolyIC.h" #include "methodjit/PolyIC.h"
@ -243,6 +244,9 @@ bool
JSCompartment::putWrapper(const CrossCompartmentKey &wrapped, const js::Value &wrapper) JSCompartment::putWrapper(const CrossCompartmentKey &wrapped, const js::Value &wrapper)
{ {
JS_ASSERT(wrapped.wrapped); JS_ASSERT(wrapped.wrapped);
JS_ASSERT(!IsPoisonedPtr(wrapped.wrapped));
JS_ASSERT(!IsPoisonedPtr(wrapped.debugger));
JS_ASSERT(!IsPoisonedPtr(wrapper.toGCThing()));
JS_ASSERT_IF(wrapped.kind == CrossCompartmentKey::StringWrapper, wrapper.isString()); JS_ASSERT_IF(wrapped.kind == CrossCompartmentKey::StringWrapper, wrapper.isString());
JS_ASSERT_IF(wrapped.kind != CrossCompartmentKey::StringWrapper, wrapper.isObject()); JS_ASSERT_IF(wrapped.kind != CrossCompartmentKey::StringWrapper, wrapper.isObject());
// todo: uncomment when bug 815999 is fixed: // todo: uncomment when bug 815999 is fixed:
@ -251,8 +255,9 @@ JSCompartment::putWrapper(const CrossCompartmentKey &wrapped, const js::Value &w
} }
bool bool
JSCompartment::wrap(JSContext *cx, Value *vp, JSObject *existing) JSCompartment::wrap(JSContext *cx, Value *vp, JSObject *existingArg)
{ {
RootedObject existing(cx, existingArg);
JS_ASSERT(cx->compartment == this); JS_ASSERT(cx->compartment == this);
JS_ASSERT_IF(existing, existing->compartment() == cx->compartment); JS_ASSERT_IF(existing, existing->compartment() == cx->compartment);
JS_ASSERT_IF(existing, vp->isObject()); JS_ASSERT_IF(existing, vp->isObject());

View File

@ -1049,8 +1049,10 @@ js::NukeCrossCompartmentWrappers(JSContext* cx,
// |newTarget|. This recomputes the wrapper with JS_WrapValue, and thus can be // |newTarget|. This recomputes the wrapper with JS_WrapValue, and thus can be
// useful even if wrapper already points to newTarget. // useful even if wrapper already points to newTarget.
bool bool
js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget) js::RemapWrapper(JSContext *cx, JSObject *wobjArg, JSObject *newTargetArg)
{ {
RootedObject wobj(cx, wobjArg);
RootedObject newTarget(cx, newTargetArg);
JS_ASSERT(IsCrossCompartmentWrapper(wobj)); JS_ASSERT(IsCrossCompartmentWrapper(wobj));
JS_ASSERT(!IsCrossCompartmentWrapper(newTarget)); JS_ASSERT(!IsCrossCompartmentWrapper(newTarget));
JSObject *origTarget = Wrapper::wrappedObject(wobj); JSObject *origTarget = Wrapper::wrappedObject(wobj);
@ -1077,9 +1079,9 @@ js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget)
// First, we wrap it in the new compartment. We try to use the existing // First, we wrap it in the new compartment. We try to use the existing
// wrapper, |wobj|, since it's been nuked anyway. The wrap() function has // wrapper, |wobj|, since it's been nuked anyway. The wrap() function has
// the choice to reuse |wobj| or not. // the choice to reuse |wobj| or not.
JSObject *tobj = newTarget; RootedObject tobj(cx, newTarget);
AutoCompartment ac(cx, wobj); AutoCompartment ac(cx, wobj);
if (!wcompartment->wrap(cx, &tobj, wobj)) if (!wcompartment->wrap(cx, tobj.address(), wobj))
MOZ_CRASH(); MOZ_CRASH();
// If wrap() reused |wobj|, it will have overwritten it and returned with // If wrap() reused |wobj|, it will have overwritten it and returned with
@ -1107,10 +1109,11 @@ js::RemapWrapper(JSContext *cx, JSObject *wobj, JSObject *newTarget)
// Remap all cross-compartment wrappers pointing to |oldTarget| to point to // Remap all cross-compartment wrappers pointing to |oldTarget| to point to
// |newTarget|. All wrappers are recomputed. // |newTarget|. All wrappers are recomputed.
JS_FRIEND_API(bool) JS_FRIEND_API(bool)
js::RemapAllWrappersForObject(JSContext *cx, JSObject *oldTarget, js::RemapAllWrappersForObject(JSContext *cx, JSObject *oldTargetArg,
JSObject *newTarget) JSObject *newTargetArg)
{ {
Value origv = ObjectValue(*oldTarget); RootedValue origv(cx, ObjectValue(*oldTargetArg));
RootedObject newTarget(cx, newTargetArg);
AutoWrapperVector toTransplant(cx); AutoWrapperVector toTransplant(cx);
if (!toTransplant.reserve(cx->runtime->compartments.length())) if (!toTransplant.reserve(cx->runtime->compartments.length()))