From 442c67b4f98717778305e68c78c6e79a47f6437d Mon Sep 17 00:00:00 2001 From: Jon Coppeard Date: Wed, 31 May 2023 16:42:54 +0000 Subject: [PATCH] Bug 1832284 - Fix rooting hazard in JSObject::swap r=sfink Reorder blocks to avoid possbile GC while |na| and |nb| are live. Differential Revision: https://phabricator.services.mozilla.com/D177627 --- js/src/vm/JSObject.cpp | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/js/src/vm/JSObject.cpp b/js/src/vm/JSObject.cpp index 77569c34b4d0..ad1f64dbb6fb 100644 --- a/js/src/vm/JSObject.cpp +++ b/js/src/vm/JSObject.cpp @@ -1375,6 +1375,16 @@ void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b, } } + // Restore original unique IDs. + if ((aid || bid) && (na || nb)) { + if ((aid && !gc::SetOrUpdateUniqueId(cx, a, aid)) || + (bid && !gc::SetOrUpdateUniqueId(cx, b, bid))) { + oomUnsafe.crash("Failed to set unique ID after swap"); + } + } + MOZ_ASSERT_IF(aid, gc::GetUniqueIdInfallible(a) == aid); + MOZ_ASSERT_IF(bid, gc::GetUniqueIdInfallible(b) == bid); + // Preserve the IsUsedAsPrototype flag on the objects. if (aIsUsedAsPrototype) { if (!JSObject::setIsUsedAsPrototype(cx, a)) { @@ -1387,16 +1397,6 @@ void JSObject::swap(JSContext* cx, HandleObject a, HandleObject b, } } - // Restore original unique IDs. - if ((aid || bid) && (na || nb)) { - if ((aid && !gc::SetOrUpdateUniqueId(cx, a, aid)) || - (bid && !gc::SetOrUpdateUniqueId(cx, b, bid))) { - oomUnsafe.crash("Failed to set unique ID after swap"); - } - } - MOZ_ASSERT_IF(aid, gc::GetUniqueIdInfallible(a) == aid); - MOZ_ASSERT_IF(bid, gc::GetUniqueIdInfallible(b) == bid); - /* * We need a write barrier here. If |a| was marked and |b| was not, then * after the swap, |b|'s guts would never be marked. The write barrier -- 2.11.4.GIT