Bug 701682 - Avoid write barrier when slowifying an array (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 14 Nov 2011 11:10:22 -0800
changeset 80235 920c5da54a5cf988c931791e76737b265b3259cc
parent 80234 ee792c270e4f1b176b6e8692b8194d4fecc7d328
child 80236 6b839530a88aba110b69c8ead1df5d1d77ee63a7
push id323
push userrcampbell@mozilla.com
push dateTue, 15 Nov 2011 21:58:36 +0000
treeherderfx-team@3ea216303184 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs701682
milestone11.0a1
Bug 701682 - Avoid write barrier when slowifying an array (r=bhackett)
js/src/jsarray.cpp
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1395,17 +1395,26 @@ JSObject::makeDenseArraySlow(JSContext *
     for (uint32 i = 0; i < arrayCapacity; i++) {
         /* Dense array indexes can always fit in a jsid. */
         jsid id;
         JS_ALWAYS_TRUE(ValueToId(cx, Int32Value(i), &id));
 
         if (slots[i].isMagic(JS_ARRAY_HOLE))
             continue;
 
-        setSlot(next, slots[i]);
+        /*
+         * No barrier is needed here because the set of reachable objects before
+         * and after slowification is the same. During slowification, the
+         * autoArray rooter guarantees that all slots will be marked.
+         *
+         * It's important that we avoid a barrier here because the fixed slots
+         * of a dense array can be garbage; a write barrier after the switch to
+         * a slow array could cause a crash.
+         */
+        initSlotUnchecked(next, slots[i]);
 
         if (!addDataProperty(cx, id, next, JSPROP_ENUMERATE)) {
             setMap(oldMap);
             capacity = arrayCapacity;
             initializedLength() = arrayInitialized;
             clasp = &ArrayClass;
             return false;
         }