Bug 952646 - Fix a potential exact rooting hazard in rollbackProperties; r=sfink

--HG-- extra : rebase_source : 78d68eeb1f1a8baa2879f389182d1fe2c053f6c4
2024-09-13 09:24:08 -07:00 · 2013-12-20 14:08:04 -08:00 · 2013-12-20 14:08:04 -08:00 · ab60cf8bb2
commit ab60cf8bb2
parent 1bd974bb06
3 changed files with 10 additions and 9 deletions
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@ -3209,7 +3209,7 @@ TypeObject::clearNewScriptAddendum(ExclusiveContext *cx)
            }

            if (!finished) {
-                if (!obj->rollbackProperties(cx, numProperties))
+                if (!JSObject::rollbackProperties(cx, obj, numProperties))
                    cx->compartment()->types.setPendingNukeTypes(cx);
            }
        }
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -416,7 +416,8 @@ class JSObject : public js::ObjectImpl
            elements[i].js::HeapSlot::~HeapSlot();
    }

-    bool rollbackProperties(js::ExclusiveContext *cx, uint32_t slotSpan);
+    static bool rollbackProperties(js::ExclusiveContext *cx, js::HandleObject obj,
+                                   uint32_t slotSpan);

    void nativeSetSlot(uint32_t slot, const js::Value &value) {
        JS_ASSERT(isNative());
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@ -1156,26 +1156,26 @@ JSObject::clear(JSContext *cx, HandleObject obj)
    obj->checkShapeConsistency();
 }

-bool
-JSObject::rollbackProperties(ExclusiveContext *cx, uint32_t slotSpan)
+/* static */ bool
+JSObject::rollbackProperties(ExclusiveContext *cx, HandleObject obj, uint32_t slotSpan)
 {
    /*
     * Remove properties from this object until it has a matching slot span.
     * The object cannot have escaped in a way which would prevent safe
     * removal of the last properties.
     */
-    JS_ASSERT(!inDictionaryMode() && slotSpan <= this->slotSpan());
+    JS_ASSERT(!obj->inDictionaryMode() && slotSpan <= obj->slotSpan());
    while (true) {
-        if (lastProperty()->isEmptyShape()) {
+        if (obj->lastProperty()->isEmptyShape()) {
            JS_ASSERT(slotSpan == 0);
            break;
        } else {
-            uint32_t slot = lastProperty()->slot();
+            uint32_t slot = obj->lastProperty()->slot();
            if (slot < slotSpan)
                break;
-            JS_ASSERT(getSlot(slot).isUndefined());
+            JS_ASSERT(obj->getSlot(slot).isUndefined());
        }
-        if (!removeProperty(cx, lastProperty()->propid()))
+        if (!obj->removeProperty(cx, obj->lastProperty()->propid()))
            return false;
    }