Bug 900405 - Fix an incorrect assertion and missing check for minor GC; r=billm
authorTerrence Cole <terrence@mozilla.com>
Thu, 01 Aug 2013 13:18:44 -0700
changeset 153305 69c38726a5ad4189b2bfc01aeb1129084a9c32b7
parent 153304 70ac9672075b7376aa60445bb5d5e6946e4826b0
child 153306 f1971c2f523249e5a369724fc870160225921a6f
push id2859
push userakeybl@mozilla.com
push dateMon, 16 Sep 2013 19:14:59 +0000
treeherdermozilla-beta@87d3c51cd2bf [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs900405
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 900405 - Fix an incorrect assertion and missing check for minor GC; r=billm
js/src/gc/Nursery.cpp
js/src/jit-test/tests/gc/bug-900405.js
js/src/jsobjinlines.h
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -503,17 +503,17 @@ js::Nursery::moveElementsToTenured(JSObj
     if (src->is<ArrayObject>() && nslots <= GetGCKindSlots(dstKind)) {
         dst->setFixedElements();
         dstHeader = dst->getElementsHeader();
         js_memcpy(dstHeader, srcHeader, nslots * sizeof(HeapSlot));
         setElementsForwardingPointer(srcHeader, dstHeader, nslots);
         return nslots * sizeof(HeapSlot);
     }
 
-    JS_ASSERT(nslots > 2);
+    JS_ASSERT(nslots >= 2);
     size_t nbytes = nslots * sizeof(HeapValue);
     dstHeader = static_cast<ObjectElements *>(zone->malloc_(nbytes));
     if (!dstHeader)
         MOZ_CRASH();
     js_memcpy(dstHeader, srcHeader, nslots * sizeof(HeapSlot));
     setElementsForwardingPointer(srcHeader, dstHeader, nslots);
     dst->elements = dstHeader->elements();
     return nslots * sizeof(HeapSlot);
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-900405.js
@@ -0,0 +1,3 @@
+(function() {
+    [{ "9": [] }.watch([], function(){})]
+})()
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -582,17 +582,17 @@ JSObject::create(js::ExclusiveContext *c
 
     JSObject *obj = js_NewGCObject<js::CanGC>(cx, kind, heap);
     if (!obj) {
         js_free(slots);
         return NULL;
     }
 
 #ifdef JSGC_GENERATIONAL
-    if (heap != js::gc::TenuredHeap)
+    if (slots && heap != js::gc::TenuredHeap)
         cx->asJSContext()->runtime()->gcNursery.notifyInitialSlots(obj, slots);
 #endif
 
     obj->shape_.init(shape);
     obj->type_.init(type);
     obj->slots = slots;
     obj->elements = js::emptyObjectElements;