Bug 1481093 - Also update children of typed object type descriptor objects when compacting r=sfink a=abillings
authorJon Coppeard <jcoppeard@mozilla.com>
Mon, 13 Aug 2018 13:21:34 +0100
changeset 431246 ec59471499f174cd05086b572f759f67cdfa4476
parent 431223 c9c1a36c4f414593ba6587b746889e9e4d3ba870
child 431247 125176893a0a113be1865f1d3efc1e38425ee0e6
push id34435
push userdvarga@mozilla.com
push dateMon, 13 Aug 2018 22:00:04 +0000
treeherdermozilla-central@8b39d1161075 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink, abillings
bugs1481093
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1481093 - Also update children of typed object type descriptor objects when compacting r=sfink a=abillings
js/src/builtin/TypedObject.cpp
js/src/gc/GC.cpp
js/src/jit-test/tests/gc/bug-1481093.js
--- a/js/src/builtin/TypedObject.cpp
+++ b/js/src/builtin/TypedObject.cpp
@@ -997,19 +997,17 @@ StructMetaTypeDescr::createFromArrays(JS
     descr->initReservedSlot(JS_DESCR_SLOT_TYPROTO, ObjectValue(*prototypeObj));
 
     if (!LinkConstructorAndPrototype(cx, descr, prototypeObj))
         return nullptr;
 
     if (!CreateTraceList(cx, descr))
         return nullptr;
 
-    if (!cx->zone()->addTypeDescrObject(cx, descr) ||
-        !cx->zone()->addTypeDescrObject(cx, fieldTypeVec))
-    {
+    if (!cx->zone()->addTypeDescrObject(cx, descr)) {
         ReportOutOfMemory(cx);
         return nullptr;
     }
 
     return descr;
 }
 
 bool
--- a/js/src/gc/GC.cpp
+++ b/js/src/gc/GC.cpp
@@ -2773,19 +2773,31 @@ ForegroundUpdateKinds(AllocKinds kinds)
             result += kind;
     }
     return result;
 }
 
 void
 GCRuntime::updateTypeDescrObjects(MovingTracer* trc, Zone* zone)
 {
+    // We need to update each type descriptor object and any objects stored in
+    // its slots, since some of these contain array objects which also need to
+    // be updated.
+
     zone->typeDescrObjects().sweep();
-    for (auto r = zone->typeDescrObjects().all(); !r.empty(); r.popFront())
-        UpdateCellPointers(trc, r.front());
+
+    for (auto r = zone->typeDescrObjects().all(); !r.empty(); r.popFront()) {
+        NativeObject* obj = &r.front()->as<NativeObject>();
+        UpdateCellPointers(trc, obj);
+        for (size_t i = 0; i < obj->slotSpan(); i++) {
+            Value value = obj->getSlot(i);
+            if (value.isObject())
+                UpdateCellPointers(trc, &value.toObject());
+        }
+    }
 }
 
 void
 GCRuntime::updateCellPointers(Zone* zone, AllocKinds kinds, size_t bgTaskCount)
 {
     AllocKinds fgKinds = bgTaskCount == 0 ? kinds : ForegroundUpdateKinds(kinds);
     AllocKinds bgKinds = kinds - fgKinds;
 
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1481093.js
@@ -0,0 +1,5 @@
+v = new new TypedObject.StructType({
+    f: TypedObject.Any
+})
+gczeal(14);
+var lfOffThreadGlobal = newGlobal();