Bug 707750 - Invoke write barrier for setDenseArrayInitializedLength (r=bhackett)
authorBill McCloskey <wmccloskey@mozilla.com>
Tue, 06 Dec 2011 14:27:50 -0800
changeset 83763 66d577078bb11c09335f9dc284d5f9cdf2b43de7
parent 83762 b6ceca62f1a7e1ec2c60740483f638989a204342
child 83764 d9ce9c8fc013a18026ffa4042db7fb4bc2cf7f55
push id519
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 00:38:35 +0000
treeherdermozilla-beta@788ea1ef610b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbhackett
bugs707750
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 707750 - Invoke write barrier for setDenseArrayInitializedLength (r=bhackett)
js/src/jit-test/tests/basic/bug707750.js
js/src/jsobjinlines.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug707750.js
@@ -0,0 +1,9 @@
+// |jit-test| error: ReferenceError
+var lfcode = new Array();
+lfcode.push("gczeal(4);");
+lfcode.push('print(BUGNUMBER + ": " + (W       --    ));');
+while (true) {
+        var file = lfcode.shift(); if (file == undefined) { break; }
+        eval(file);
+}
+
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -564,16 +564,17 @@ JSObject::getDenseArrayInitializedLength
     return getElementsHeader()->initializedLength;
 }
 
 inline void
 JSObject::setDenseArrayInitializedLength(uint32 length)
 {
     JS_ASSERT(isDenseArray());
     JS_ASSERT(length <= getDenseArrayCapacity());
+    prepareElementRangeForOverwrite(length, getElementsHeader()->length);
     getElementsHeader()->initializedLength = length;
 }
 
 inline uint32
 JSObject::getDenseArrayCapacity()
 {
     JS_ASSERT(isDenseArray());
     return getElementsHeader()->capacity;