Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco
authorYoshi Cheng-Hao Huang <allstars.chh@gmail.com>
Thu, 20 Dec 2018 15:43:56 +0100
changeset 452174 8fe391c74c656692ab176faf453ede4f5e387fc2
parent 452173 3d706269aea5497195d14c53e65067c05a6d9ad0
child 452175 c4c07de1d4f49d8be2262c5485c062675dcb812e
push id35291
push userncsoregi@mozilla.com
push dateMon, 31 Dec 2018 16:09:23 +0000
treeherdermozilla-central@83d06ab87e74 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs1515648
milestone66.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1515648 - Part 2: fix in Shape.cpp. r=jonco
js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -2286,22 +2286,22 @@ void Zone::fixupInitialShapeTable() {
     if (IsForwarded(shape)) {
       shape = Forwarded(shape);
       e.mutableFront().shape.set(shape);
     }
     shape->updateBaseShapeAfterMovingGC();
 
     // If the prototype has moved we have to rekey the entry.
     InitialShapeEntry entry = e.front();
-    if (entry.proto.proto().isObject() &&
-        IsForwarded(entry.proto.proto().toObject())) {
-      entry.proto.setProto(
-          TaggedProto(Forwarded(entry.proto.proto().toObject())));
+    // Use unbarrieredGet() to prevent triggering read barrier while collecting.
+    const TaggedProto& proto = entry.proto.proto().unbarrieredGet();
+    if (proto.isObject() && IsForwarded(proto.toObject())) {
+      entry.proto.setProto(TaggedProto(Forwarded(proto.toObject())));
       using Lookup = InitialShapeEntry::Lookup;
-      Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(entry.proto),
+      Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(proto),
                       shape->numFixedSlots(), shape->getObjectFlags());
       e.rekeyFront(relookup, entry);
     }
   }
 }
 
 void AutoRooterGetterSetter::Inner::trace(JSTracer* trc) {
   if ((attrs & JSPROP_GETTER) && *pgetter) {