The following testcase crashes on mozilla-central built with --enable-exact-rooting --enable-gcgenerational, revision 53d55d2d0a25 (run with --fuzzing-safe --ion-eager): function r(keyword, tests) { function Reserved(keyword, tests) this.keyword = keyword; return new Reserved(keyword, tests); } r("break"); r("case"); var p = Proxy.create({}); Object.prototype.__proto__ = p;

Crash trace: Program received signal SIGSEGV, Segmentation fault. js::gc::Cell::runtimeFromMainThread (this=<optimized out>) at ../gc/Heap.h:973 973 JSRuntime *rt = chunk()->info.trailer.runtime; (gdb) bt #0 js::gc::Cell::runtimeFromMainThread (this=<optimized out>) at ../gc/Heap.h:973 #1 0x00000000004c5ed6 in js::gc::GetGCThingTraceKind (thing=0x1751be0) at ../jsgcinlines.h:100 #2 0x00000000004c9d30 in mark (trc=<optimized out>, this=0x166ec40) at ../gc/StoreBuffer.cpp:194 #3 js::gc::StoreBuffer::MonoTypeBuffer<js::gc::StoreBuffer::CellPtrEdge>::mark (this=0x1629cd0, trc=0x7fffffffd8d0) at ../gc/StoreBuffer.cpp:120 #4 0x00000000004a5a67 in js::gc::StoreBuffer::mark (this=0x1629c80, trc=0x7fffffffd8d0) at ../gc/StoreBuffer.cpp:277 #5 0x00000000004b467f in js::Nursery::collect (this=0x1629c10, rt=0x1628e90, reason=JS::gcreason::DESTROY_CONTEXT, pretenureTypes=0x0) at ../gc/Nursery.cpp:610 #6 0x00000000007fafce in MinorGC (reason=JS::gcreason::DESTROY_CONTEXT, rt=0x1628e90) at ../jsgc.cpp:4875 #7 Collect (rt=0x1628e90, incremental=false, budget=0, gckind=js::GC_NORMAL, reason=JS::gcreason::DESTROY_CONTEXT) at ../jsgc.cpp:4728 #8 0x000000000074bb33 in js::DestroyContext (cx=0x164f540, mode=js::DCM_FORCE_GC) at ../jscntxt.cpp:264 #9 0x0000000000406d35 in DestroyContext (cx=0x164f540, withGC=true) at ../../shell/js.cpp:5247 #10 0x000000000041ee29 in main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at ../../shell/js.cpp:5897 (gdb) x /i $pc => 0x4c4396 <js::gc::Cell::runtimeFromMainThread() const+22>: mov 0xffff8(%rdi),%rbx (gdb) info reg rdi rdi 0x1700000 24117248

The problem here is that the lifetime of the TypeObjectAddendum can be shorter than that of the owning TypeObject. If this is the case, we can leave pointers to the dead object in the storebuffer. This patch replaces the HeapPtr<T>s in TypeNewScript with RelocatablePtr<T>s, and arranages for TypeObjectAddendum-derived objects to have thier destructors called. This allows us to remove the storebuffer pointers when the objects die. I also TypeObject::addendum to an EncapsulatedPtr from a HeapPtr as its postbarrier didn't do anything.

Is this testcase still crashing now that bug 936156 has gone in? TypeNewScript should not contain any nursery pointers anymore.

It's not crashing any more. The second change in bug 936156 fixes this.