Bug 1585921 - Use root marking functions to trace unbarriered pointers in GCPolicy traits since this is only safe when we're marking roots r=sfink

The root marking functions have assertions that will catch this being used outside of heap marking.

Differential Revision: https://phabricator.services.mozilla.com/D48534

--HG--
extra : moz-landing-system : lando

js/public/GCPolicyAPI.h

@@ -109,9 +109,9 @@ struct GCPointerPolicy {
                 "Non-pointer type not allowed for GCPointerPolicy");
 
   static void trace(JSTracer* trc, T* vp, const char* name) {
-    if (*vp) {
+    // It's not safe to trace unbarriered pointers except as part of root
-      js::UnsafeTraceManuallyBarrieredEdge(trc, vp, name);
+    // marking.
-    }
+    UnsafeTraceRoot(trc, vp, name);
   }
   static bool needsSweep(T* vp) {
     if (*vp) {

js/public/Id.h

@@ -170,7 +170,9 @@ namespace JS {
 template <>
 struct GCPolicy<jsid> {
   static void trace(JSTracer* trc, jsid* idp, const char* name) {
-    js::UnsafeTraceManuallyBarrieredEdge(trc, idp, name);
+    // It's not safe to trace unbarriered pointers except as part of root
+    // marking.
+    UnsafeTraceRoot(trc, idp, name);
   }
   static bool isValid(jsid id) {
     return !JSID_IS_GCTHING(id) ||

js/public/Value.h

@@ -1077,7 +1077,9 @@ JS_PUBLIC_API void HeapValueWriteBarriers(Value* valuep, const Value& prev,
 template <>
 struct GCPolicy<JS::Value> {
   static void trace(JSTracer* trc, Value* v, const char* name) {
-    js::UnsafeTraceManuallyBarrieredEdge(trc, v, name);
+    // It's not safe to trace unbarriered pointers except as part of root
+    // marking.
+    UnsafeTraceRoot(trc, v, name);
   }
   static bool isTenured(const Value& thing) {
     return !thing.isGCThing() || !IsInsideNursery(thing.toGCThing());

js/src/gc/Policy.h

@@ -44,9 +44,10 @@ struct InternalGCPointerPolicy : public JS::GCPointerPolicy<T> {
     }
   }
   static void trace(JSTracer* trc, T* vp, const char* name) {
-    if (*vp) {
+    // It's not safe to trace unbarriered pointers except as part of root
-      TraceManuallyBarrieredEdge(trc, vp, name);
+    // marking. If you get an assertion here you probably need to add a barrier,
-    }
+    // e.g. HeapPtr<T>.
+    TraceNullableRoot(trc, vp, name);
   }
 };
 

js/src/vm/HelperThreads.cpp

@@ -532,7 +532,7 @@ void ParseTask::trace(JSTracer* trc) {
     return;
   }
 
-  TraceManuallyBarrieredEdge(trc, &parseGlobal, "ParseTask::parseGlobal");
+  TraceRoot(trc, &parseGlobal, "ParseTask::parseGlobal");
   scripts.trace(trc);
   sourceObjects.trace(trc);
 }

js/src/vm/Realm.h

@@ -334,7 +334,8 @@ class JS::Realm : public JS::shadow::Realm {
   // Names are only removed from this list by a |delete IdentifierReference|
   // that successfully removes that global property.
   using VarNamesSet =
-      JS::GCHashSet<JSAtom*, js::DefaultHasher<JSAtom*>, js::ZoneAllocPolicy>;
+      GCHashSet<js::HeapPtr<JSAtom*>, js::DefaultHasher<JSAtom*>,
+                js::ZoneAllocPolicy>;
   VarNamesSet varNames_;
 
   friend class js::AutoSetNewObjectMetadata;

js/src/vm/TaggedProto.h

@@ -51,8 +51,10 @@ class TaggedProto {
   HashNumber hashCode() const;
 
   void trace(JSTracer* trc) {
+    // It's not safe to trace unbarriered pointers except as part of root
+    // marking.
     if (isObject()) {
-      TraceManuallyBarrieredEdge(trc, &proto, "TaggedProto");
+      TraceRoot(trc, &proto, "TaggedProto");
     }
   }
 

js/src/wasm/WasmJS.h

@@ -281,7 +281,8 @@ class WasmInstanceObject : public NativeObject {
   static WasmFunctionScope* getFunctionScope(
       JSContext* cx, HandleWasmInstanceObject instanceObj, uint32_t funcIndex);
 
-  using GlobalObjectVector = GCVector<WasmGlobalObject*, 0, ZoneAllocPolicy>;
+  using GlobalObjectVector =
+      GCVector<HeapPtr<WasmGlobalObject*>, 0, ZoneAllocPolicy>;
   GlobalObjectVector& indirectGlobals() const;
 };