Bug 952295 - Fix an exact rooting hazard in CompileLazyFunction; r=sfink

--HG-- extra : rebase_source : 16f3adf53fafa2bc76ef4d8058923ee7818f303f
2013-12-19 16:55:32 -08:00 · 2013-12-19 16:55:32 -08:00 · 0e064ae2dd
--- a/js/src/frontend/BytecodeCompiler.cpp
+++ b/js/src/frontend/BytecodeCompiler.cpp
@ -402,7 +402,7 @@ frontend::CompileScript(ExclusiveContext *cx, LifoAlloc *alloc, HandleObject sco
 }

 bool
-frontend::CompileLazyFunction(JSContext *cx, LazyScript *lazy, const jschar *chars, size_t length)
+frontend::CompileLazyFunction(JSContext *cx, Handle<LazyScript*> lazy, const jschar *chars, size_t length)
 {
    JS_ASSERT(cx->compartment() == lazy->function()->compartment());

--- a/js/src/frontend/BytecodeCompiler.h
+++ b/js/src/frontend/BytecodeCompiler.h
@ -28,7 +28,7 @@ CompileScript(ExclusiveContext *cx, LifoAlloc *alloc,
              SourceCompressionTask *extraSct = nullptr);

 bool
-CompileLazyFunction(JSContext *cx, LazyScript *lazy, const jschar *chars, size_t length);
+CompileLazyFunction(JSContext *cx, Handle<LazyScript*> lazy, const jschar *chars, size_t length);

 bool
 CompileFunctionBody(JSContext *cx, MutableHandleFunction fun,
--- a/js/src/gc/RootMarking.cpp
+++ b/js/src/gc/RootMarking.cpp
@ -54,6 +54,7 @@ MarkExactStackRoot(JSTracer *trc, Rooted<void*> *rooter, ThingRootKind kind)
      case THING_ROOT_OBJECT:      MarkObjectRoot(trc, (JSObject **)addr, "exact-object"); break;
      case THING_ROOT_STRING:      MarkStringRoot(trc, (JSString **)addr, "exact-string"); break;
      case THING_ROOT_SCRIPT:      MarkScriptRoot(trc, (JSScript **)addr, "exact-script"); break;
+      case THING_ROOT_LAZY_SCRIPT: MarkLazyScriptRoot(trc, (LazyScript **)addr, "exact-lazy-script"); break;
      case THING_ROOT_SHAPE:       MarkShapeRoot(trc, (Shape **)addr, "exact-shape"); break;
      case THING_ROOT_BASE_SHAPE:  MarkBaseShapeRoot(trc, (BaseShape **)addr, "exact-baseshape"); break;
      case THING_ROOT_TYPE:        MarkTypeRoot(trc, (types::Type *)addr, "exact-type"); break;
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@ -1110,7 +1110,7 @@ JSFunction::createScriptForLazilyInterpretedFunction(JSContext *cx, HandleFuncti
 {
    JS_ASSERT(fun->isInterpretedLazy());

-    LazyScript *lazy = fun->lazyScriptOrNull();
+    Rooted<LazyScript*> lazy(cx, fun->lazyScriptOrNull());
    if (lazy) {
        // Trigger a pre barrier on the lazy script being overwritten.
        if (cx->zone()->needsBarrier())
--- a/js/src/jspubtd.h
+++ b/js/src/jspubtd.h
@ -303,6 +303,7 @@ enum ThingRootKind
    THING_ROOT_STRING,
    THING_ROOT_JIT_CODE,
    THING_ROOT_SCRIPT,
+    THING_ROOT_LAZY_SCRIPT,
    THING_ROOT_ID,
    THING_ROOT_PROPERTY_ID,
    THING_ROOT_VALUE,
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@ -1756,6 +1756,8 @@ class LazyScript : public gc::BarrieredCell<LazyScript>
    void markChildren(JSTracer *trc);
    void finalize(js::FreeOp *fop);

+    static inline js::ThingRootKind rootKind() { return js::THING_ROOT_LAZY_SCRIPT; }
+
    size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf)
    {
        return mallocSizeOf(table_);