corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1970246 - Don't call Nursery::inCollectedRegion from a different thread in JSLinearString::hasCharsInCollectedNurseryRegion. a=dmeehan DONTBUILD

Browse Source 
This avoids accessing the `Nursery::Space::chunks_` vector from a worker thread
(for permanent atoms) because that can race if the main thread disables the nursery
at the same time.

`JSLinearString::hasCharsInCollectedNurseryRegion` is only used in debug/gc-zeal builds.

Original Revision: https://phabricator.services.mozilla.com/D252861

Differential Revision: https://phabricator.services.mozilla.com/D253153
This commit is contained in:
Jan de Mooij
2025-06-10 12:02:46 +00:00
committed by dmeehan@mozilla.com
parent b768daa744
commit 6bf5a3c26e
1 changed files with 8 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
js/src/vm/StringType.cpp
View File

@@ -1377,7 +1377,14 @@ template JSString* js::ConcatStrings<NoGC>(JSContext* cx, JSString* const& left,
gc::Heap heap);
bool JSLinearString::hasCharsInCollectedNurseryRegion() const {
auto& nursery = runtimeFromAnyThread()->gc.nursery();
if (isPermanentAtom()) {
// Nursery::inCollectedRegion(void*) should only be called on the nursery's
// main thread to avoid races. Permanent atoms can be shared with worker
// threads but atoms are never allocated in the nursery.
MOZ_ASSERT(isTenured());
return false;
}
auto& nursery = runtimeFromMainThread()->gc.nursery();
if (isInline()) {
return nursery.inCollectedRegion(this);
}