Bug 701682 - Avoid write barrier when slowifying an array (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Mon, 14 Nov 2011 11:10:22 -0800
changeset 80224 920c5da54a5cf988c931791e76737b265b3259cc
parent 80223 ee792c270e4f1b176b6e8692b8194d4fecc7d328
child 80225 6b839530a88aba110b69c8ead1df5d1d77ee63a7
push id21476
push userbmo@edmorley.co.uk
push dateTue, 15 Nov 2011 03:03:47 +0000
treeherdermozilla-central@f694183357ec [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs701682
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 701682 - Avoid write barrier when slowifying an array (r=bhackett)
js/src/jsarray.cpp
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1395,17 +1395,26 @@ JSObject::makeDenseArraySlow(JSContext *
     for (uint32 i = 0; i < arrayCapacity; i++) {
         /* Dense array indexes can always fit in a jsid. */
         jsid id;
         JS_ALWAYS_TRUE(ValueToId(cx, Int32Value(i), &id));
 
         if (slots[i].isMagic(JS_ARRAY_HOLE))
             continue;
 
-        setSlot(next, slots[i]);
+        /*
+         * No barrier is needed here because the set of reachable objects before
+         * and after slowification is the same. During slowification, the
+         * autoArray rooter guarantees that all slots will be marked.
+         *
+         * It's important that we avoid a barrier here because the fixed slots
+         * of a dense array can be garbage; a write barrier after the switch to
+         * a slow array could cause a crash.
+         */
+        initSlotUnchecked(next, slots[i]);
 
         if (!addDataProperty(cx, id, next, JSPROP_ENUMERATE)) {
             setMap(oldMap);
             capacity = arrayCapacity;
             initializedLength() = arrayInitialized;
             clasp = &ArrayClass;
             return false;
         }