From be8ddc93fef12c96f9355a5f53f1587001d183a6 Mon Sep 17 00:00:00 2001 From: Brendan Eich Date: Tue, 14 Sep 2010 12:13:12 -0700 Subject: [PATCH] Fix screwed up layering of GC marking for JSObject::emptyShape (596103, r=jorendorff). --- js/src/jsgc.cpp | 6 ++++++ js/src/jsscope.h | 3 +++ js/src/jsscopeinlines.h | 3 --- js/src/tests/js1_8_5/regress/jstests.list | 1 + js/src/tests/js1_8_5/regress/regress-596103.js | 13 +++++++++++++ 5 files changed, 23 insertions(+), 3 deletions(-) create mode 100644 js/src/tests/js1_8_5/regress/regress-596103.js diff --git a/js/src/jsgc.cpp b/js/src/jsgc.cpp index a1e5cff952a4..75152c88d730 100644 --- a/js/src/jsgc.cpp +++ b/js/src/jsgc.cpp @@ -1638,10 +1638,16 @@ JS_TraceChildren(JSTracer *trc, void *thing, uint32 kind) JSObject *obj = (JSObject *) thing; if (!obj->map) break; + + /* Trace universal (ops-independent) members. */ if (JSObject *proto = obj->getProto()) JS_CALL_OBJECT_TRACER(trc, proto, "proto"); if (JSObject *parent = obj->getParent()) JS_CALL_OBJECT_TRACER(trc, parent, "parent"); + if (obj->emptyShape) + obj->emptyShape->trace(trc); + + /* Delegate to ops or the native marking op. */ JSTraceOp op = obj->getOps()->trace; (op ? op : js_TraceObject)(trc, obj); break; diff --git a/js/src/jsscope.h b/js/src/jsscope.h index bbb364898bda..b85f5eef9b68 100644 --- a/js/src/jsscope.h +++ b/js/src/jsscope.h @@ -414,6 +414,9 @@ struct Shape : public JSObjectMap } void insertFree(js::Shape **freep) { +#ifdef DEBUG + memset(this, JS_FREE_PATTERN, sizeof *this); +#endif id = JSID_VOID; parent = *freep; if (parent) diff --git a/js/src/jsscopeinlines.h b/js/src/jsscopeinlines.h index fcf54f28501c..c26f172e31ef 100644 --- a/js/src/jsscopeinlines.h +++ b/js/src/jsscopeinlines.h @@ -108,9 +108,6 @@ JSObject::extend(JSContext *cx, const js::Shape *shape, bool isDefinitelyAtom) inline void JSObject::trace(JSTracer *trc) { - if (emptyShape) - emptyShape->trace(trc); - if (!isNative()) return; diff --git a/js/src/tests/js1_8_5/regress/jstests.list b/js/src/tests/js1_8_5/regress/jstests.list index 1e78b97a7ebe..88c1ca3683b7 100644 --- a/js/src/tests/js1_8_5/regress/jstests.list +++ b/js/src/tests/js1_8_5/regress/jstests.list @@ -34,3 +34,4 @@ script regress-592556-c35.js script regress-593256.js script regress-595365-1.js fails-if(!xulRuntime.shell) script regress-595365-2.js +script regress-596103.js diff --git a/js/src/tests/js1_8_5/regress/regress-596103.js b/js/src/tests/js1_8_5/regress/regress-596103.js new file mode 100644 index 000000000000..2b1910096419 --- /dev/null +++ b/js/src/tests/js1_8_5/regress/regress-596103.js @@ -0,0 +1,13 @@ +// Any copyright is dedicated to the Public Domain. +// http://creativecommons.org/licenses/publicdomain/ +// Contributor: Gary Kwong , Jesse Ruderman + +for (var u = 0; u < 3; ++u) { + var y = []; + Object.create(y); + gc(); + y.t = 3; + gc(); +} + +reportCompare(0, 0, 'ok');