diff options
| author | Moonchild <moonchild@palemoon.org> | 2020-08-31 05:54:39 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2020-08-31 05:54:39 +0000 |
| commit | a6f632714fcb1be3dd00b0fc76fbf6bfc693155b (patch) | |
| tree | b04c82f9af4a0d288a6d4350d774ad8fe6dac903 /js/src/gc | |
| parent | 2ed0607c747b21cadaf7401d4ba706097578e74d (diff) | |
| parent | b28effe2ea93e43e362f7ce263d23b55adcb6da7 (diff) | |
| download | UXP-RELBASE_20200831.tar UXP-RELBASE_20200831.tar.gz UXP-RELBASE_20200831.tar.lz UXP-RELBASE_20200831.tar.xz UXP-RELBASE_20200831.zip | |
Merge branch 'redwood' into releaseRELBASE_20200831
Diffstat (limited to 'js/src/gc')
| -rw-r--r-- | js/src/gc/Marking.cpp | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/js/src/gc/Marking.cpp b/js/src/gc/Marking.cpp index 43e325394..b4db0297a 100644 --- a/js/src/gc/Marking.cpp +++ b/js/src/gc/Marking.cpp @@ -2267,6 +2267,8 @@ void js::gc::StoreBuffer::SlotsEdge::trace(TenuringTracer& mover) const { NativeObject* obj = object(); + if(!IsCellPointerValid(obj)) + return; // Beware JSObject::swap exchanging a native object for a non-native one. if (!obj->isNative()) @@ -2336,6 +2338,8 @@ js::gc::StoreBuffer::traceWholeCells(TenuringTracer& mover) { for (ArenaCellSet* cells = bufferWholeCell; cells; cells = cells->next) { Arena* arena = cells->arena; + if(!IsCellPointerValid(arena)) + continue; MOZ_ASSERT(arena->bufferedCells == cells); arena->bufferedCells = &ArenaCellSet::Empty; @@ -2364,6 +2368,7 @@ js::gc::StoreBuffer::CellPtrEdge::trace(TenuringTracer& mover) const { if (!*edge) return; + // XXX: We should check if the cell pointer is valid here too MOZ_ASSERT((*edge)->getTraceKind() == JS::TraceKind::Object); mover.traverse(reinterpret_cast<JSObject**>(edge)); |