From 4184ad0a88c9cbd2ac5da5b5a00edfd090eee123 Mon Sep 17 00:00:00 2001
From: Jon Coppeard <jcoppeard@mozilla.com>
Date: Thu, 4 Dec 2014 10:15:20 -0800
Subject: [PATCH] Bug 1105232 - Remove race updating COW shared elements owner
 pointer r=terrence

---
 js/src/jsgc.cpp  | 19 ++++++++++++++++---
 js/src/jsobj.cpp |  3 +--
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp
index e8e7ecf617a0..e3f81b9ded61 100644
--- a/js/src/jsgc.cpp
+++ b/js/src/jsgc.cpp
@@ -2194,9 +2194,22 @@ RelocateCell(Zone *zone, TenuredCell *src, AllocKind thingKind, size_t thingSize
         JSObject *srcObj = static_cast<JSObject *>(static_cast<Cell *>(src));
         JSObject *dstObj = static_cast<JSObject *>(static_cast<Cell *>(dst));
 
-        // Fixup the pointer to inline object elements if necessary.
-        if (srcObj->isNative() && srcObj->as<NativeObject>().hasFixedElements())
-            dstObj->as<NativeObject>().setFixedElements();
+        if (srcObj->isNative()) {
+            NativeObject *srcNative = &srcObj->as<NativeObject>();
+            NativeObject *dstNative = &dstObj->as<NativeObject>();
+
+            // Fixup the pointer to inline object elements if necessary.
+            if (srcNative->hasFixedElements())
+                dstNative->setFixedElements();
+
+            // For copy-on-write objects that own their elements, fix up the
+            // owner pointer to point to the relocated object.
+            if (srcNative->hasDynamicElements() && srcNative->denseElementsAreCopyOnWrite()) {
+                HeapPtrNativeObject &owner = srcNative->getElementsHeader()->ownerObject();
+                if (owner == srcNative)
+                    owner = dstNative;
+            }
+        }
 
         // Call object moved hook if present.
         if (JSObjectMovedOp op = srcObj->getClass()->ext.objectMovedOp)
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
index 45f1af81e722..1f54d26c2681 100644
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -2768,8 +2768,7 @@ JSObject::fixupAfterMovingGC()
     if (is<NativeObject>() && as<NativeObject>().hasDynamicElements()) {
         ObjectElements *header = as<NativeObject>().getElementsHeader();
         if (header->isCopyOnWrite()) {
-            HeapPtrNativeObject &owner = header->ownerObject();
-            owner = MaybeForwarded(owner.get());
+            NativeObject *owner = MaybeForwarded(header->ownerObject().get());
             as<NativeObject>().elements_ = owner->getElementsHeader()->elements();
         }
     }