Bug 1601074: Fix preliminary-objects-set issue wrt NEWOBJECT_WITHGROUP. r=iain
authorChris Fallin <cfallin@mozilla.com>
Wed, 04 Dec 2019 00:47:39 +0000
changeset 505447 e4c1a6acc2b152f69aefa80f46b8c14d999cc385
parent 505446 d8b0a5b0a5afb91ec00330a5c2a9b341ff66ff5f
child 505448 5789d8f7d7bff75fbee2014dbdb3dc92bea74624
push id36883
push userapavel@mozilla.com
push dateThu, 05 Dec 2019 04:11:08 +0000
treeherdermozilla-central@ba237def08d5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersiain
bugs1601074, 1598347, 1580246
milestone73.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1601074: Fix preliminary-objects-set issue wrt NEWOBJECT_WITHGROUP. r=iain The recent addition of the JSOP_NEWOBJECT_WITHGROUP opcode for bug 1598347 (itself a regression fix for 1580246) has led to an issue when more than a certain number of array elements with the same group are created within an array literal. In particular, when too many objects are created, the preliminary-objects-set for the ObjectGroup becomes full and hits a MOZ_CRASH. This patch avoids trying to add to the preliminary object set in the _WITHGROUP case. Differential Revision: https://phabricator.services.mozilla.com/D55736
js/src/jit-test/tests/basic/bug1601074.js
js/src/vm/Interpreter.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1601074.js
@@ -0,0 +1,13 @@
+for (let y of [
+      { x: 1 },
+      { x: 2 },
+      { x: 3 },
+      { x: 4 },
+      { x: 5 },
+      { x: 6 },
+      { x: 7 },
+      { x: 8 },
+      { x: 9 },
+      { x: 10 },
+      { x: 11 },
+]) {}
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -5254,17 +5254,17 @@ JSObject* js::NewObjectOperation(JSConte
     return nullptr;
   }
 
   if (newKind == SingletonObject) {
     MOZ_ASSERT(obj->isSingleton());
   } else {
     obj->setGroup(group);
 
-    if (!IsInsideNursery(obj)) {
+    if (!withTemplateGroup) {
       AutoSweepObjectGroup sweep(group);
       if (PreliminaryObjectArray* preliminaryObjects =
               group->maybePreliminaryObjects(sweep)) {
         preliminaryObjects->registerNewObject(obj);
       }
     }
   }