No issue - Don't assign non-live hash table entry.

The problem here is that we use move assignment on a hash table entry that is not live. Although all entries are constructed by `HashTable::createTable`, they may subsequently be destroyed by `HashTableEntry::destroyStoredT()`. Therefore it is not safe to call any methods on a non live entry. This causes a problem for GC barrier wrappers which assume that the object state is valid (and presumably anything that does more than just write the assigned data into memory). The fix is to construct a new entry in-place. Based on work by Jon Coppeard <jcoppeard@mozilla.com> in Bug 2009608
2026-05-26 13:58:49 +00:00 · 2026-02-25 14:53:42 +01:00
parent 3762b659ef
commit 6aa3331bdb
1 changed files with 1 additions and 1 deletions
@@ -830,7 +830,7 @@ class HashTableEntry
        if (other->isLive()) {
            mozilla::Swap(*mem.addr(), *other->mem.addr());
        } else {
-            *other->mem.addr() = mozilla::Move(*mem.addr());
+            new (mozilla::KnownNotNull, other->mem.addr()) NonConstT(mozilla::Move(*mem.addr()));
            destroy();
        }
        mozilla::Swap(keyHash, other->keyHash);