Bug 1359342 - Add missing read barrier in TypeNewScript::maybeAnalyse r=sfink
authorJon Coppeard <jcoppeard@mozilla.com>
Tue, 27 Feb 2018 12:14:47 +0000
changeset 405572 f361cfca3755aae660df9131540d3b469f9e29e6
parent 405571 87e6042a409d0cd33d5fbf7a2abda73c046e796a
child 405573 5297541590781af40ff09e067646f3115960af75
child 405643 7a805b66dfcc73e00eea543252830efc1ff6eb81
push id33524
push userapavel@mozilla.com
push dateTue, 27 Feb 2018 22:24:31 +0000
treeherdermozilla-central@529754159078 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssfink
bugs1359342
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1359342 - Add missing read barrier in TypeNewScript::maybeAnalyse r=sfink
js/src/vm/TypeInference.cpp
js/src/vm/TypeInference.h
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3942,16 +3942,20 @@ TypeNewScript::maybeAnalyze(JSContext* c
 
     templateObject()->setGroup(initialGroup);
 
     // Transfer this TypeNewScript from the fully initialized group to the
     // partially initialized group.
     group->detachNewScript();
     initialGroup->setNewScript(this);
 
+    // prefixShape was read via a weak pointer, so we need a read barrier before
+    // we store it into the heap.
+    Shape::readBarrier(prefixShape);
+
     initializedShape_ = prefixShape;
     initializedGroup_ = group;
 
     destroyNewScript.group = nullptr;
 
     if (regenerate)
         *regenerate = true;
     return true;
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@@ -1044,20 +1044,20 @@ class TypeNewScript
   public:
     TypeNewScript() { mozilla::PodZero(this); }
     ~TypeNewScript() {
         js_delete(preliminaryObjects);
         js_free(initializerList);
     }
 
     void clear() {
-        function_.init(nullptr);
-        templateObject_.init(nullptr);
-        initializedShape_.init(nullptr);
-        initializedGroup_.init(nullptr);
+        function_ = nullptr;
+        templateObject_ = nullptr;
+        initializedShape_ = nullptr;
+        initializedGroup_ = nullptr;
     }
 
     static void writeBarrierPre(TypeNewScript* newScript);
 
     bool analyzed() const {
         return preliminaryObjects == nullptr;
     }