Bug 1296015 - Don't allocate typed arrays with the wrong AllocKind when tenuring. r=terrence,smvv
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 07 Sep 2016 12:49:00 +0200
changeset 313015 b48c0088fad27760cbae9733af3d6e3e0afad5df
parent 313014 c1c9882472df9624b37436208c278021a9b0ff44
child 313016 b3b4d243d1e2f7e0466c34b72badbd6524742c06
push id30669
push userkwierso@gmail.com
push dateThu, 08 Sep 2016 00:56:12 +0000
treeherdermozilla-central@77940cbf0c2a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence, smvv
bugs1296015
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296015 - Don't allocate typed arrays with the wrong AllocKind when tenuring. r=terrence,smvv
js/src/jit-test/tests/basic/bug1296015.js
js/src/vm/TypedArrayObject.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1296015.js
@@ -0,0 +1,9 @@
+function f() {
+    for (var i=0; i<30000; i++) {
+        var a = inIon() ? 0 : 300;
+        var buf = new Uint8ClampedArray(a);
+        (function() {}) * this;
+    }
+    try {} catch(e) {}
+}
+f();
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -115,18 +115,17 @@ class TypedArrayObject : public NativeOb
     // object is created lazily.
     static const uint32_t INLINE_BUFFER_LIMIT =
         (NativeObject::MAX_FIXED_SLOTS - FIXED_DATA_START) * sizeof(Value);
 
     static gc::AllocKind
     AllocKindForLazyBuffer(size_t nbytes)
     {
         MOZ_ASSERT(nbytes <= INLINE_BUFFER_LIMIT);
-        /* For GGC we need at least one slot in which to store a forwarding pointer. */
-        size_t dataSlots = Max(size_t(1), AlignBytes(nbytes, sizeof(Value)) / sizeof(Value));
+        size_t dataSlots = AlignBytes(nbytes, sizeof(Value)) / sizeof(Value);
         MOZ_ASSERT(nbytes <= dataSlots * sizeof(Value));
         return gc::GetGCObjectKind(FIXED_DATA_START + dataSlots);
     }
 
     inline Scalar::Type type() const;
     inline size_t bytesPerElement() const;
 
     static Value bufferValue(TypedArrayObject* tarr) {