Bug 743868 - Fix barriers in SupressDeletedProperties; r=billm
authorTerrence Cole <terrence@mozilla.com>
Mon, 09 Apr 2012 16:52:50 -0700
changeset 94792 053487b8f1f7a0e112a26105d82a472be3824ae3
parent 94791 12e42fb8e321f095f098c86be96932f646e84885
child 94793 f585e56c03ed5ac4fd47f9083cf6bbcaf592feec
push id886
push userlsblakk@mozilla.com
push dateMon, 04 Jun 2012 19:57:52 +0000
treeherdermozilla-beta@bbd8d5efd6d1 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs743868
milestone14.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 743868 - Fix barriers in SupressDeletedProperties; r=billm Right now, we simply stop tracing through deleted properties. This causes us to delete things that are still in the write buffer. We need to, in addition, set the reference to NULL to ensure that the write buffer doesn't dereference these dead entries.
js/src/jsiter.cpp
--- a/js/src/jsiter.cpp
+++ b/js/src/jsiter.cpp
@@ -1046,20 +1046,21 @@ SuppressDeletedPropertyHelper(JSContext 
                     if (idp == props_cursor) {
                         ni->incCursor();
                     } else {
                         for (HeapPtr<JSFlatString> *p = idp; p + 1 != props_end; p++)
                             *p = *(p + 1);
                         ni->props_end = ni->end() - 1;
 
                         /*
-                         * Invoke the write barrier on this element, since it's
-                         * no longer going to be marked.
+                         * This invokes the pre barrier on this element, since
+                         * it's no longer going to be marked, and ensures that
+                         * any existing remembered set entry will be dropped.
                          */
-                        ni->props_end->HeapPtr<JSFlatString>::~HeapPtr();
+                        *ni->props_end = NULL;
                     }
 
                     /* Don't reuse modified native iterators. */
                     ni->flags |= JSITER_UNREUSABLE;
 
                     if (predicate.matchesAtMostOne())
                         break;
                 }