Bug 903519 - Remove verifier assumption that only objects are in the nursery, r=jonco
authorSteve Fink <sfink@mozilla.com>
Thu, 27 Jul 2017 17:31:21 -0700
changeset 456318 8b11814dcd953756076f82f481d87768acba9e50
parent 456317 e0fad5abd109adb52b7bc329caca74934f11aa06
child 456319 af8459e4365bf42e228f6cdf5d3afffd2e26fa7b
push id8799
push usermtabara@mozilla.com
push dateThu, 01 Mar 2018 16:46:23 +0000
treeherdermozilla-beta@15334014dc67 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjonco
bugs903519
milestone60.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 903519 - Remove verifier assumption that only objects are in the nursery, r=jonco
js/src/gc/Verifier.cpp
--- a/js/src/gc/Verifier.cpp
+++ b/js/src/gc/Verifier.cpp
@@ -524,17 +524,24 @@ HeapCheckTracerBase::onChild(const JS::G
         return;
     }
 
     // Don't trace into GC things owned by another runtime.
     if (cell->runtimeFromAnyThread() != rt)
         return;
 
     // Don't trace into GC in zones being used by helper threads.
-    Zone* zone = thing.is<JSObject>() ? thing.as<JSObject>().zone() : cell->asTenured().zone();
+    Zone* zone;
+    if (thing.is<JSObject>())
+        zone = thing.as<JSObject>().zone();
+    else if (thing.is<JSString>())
+        zone = thing.as<JSString>().zone();
+    else
+        zone = cell->asTenured().zone();
+
     if (zone->group() && zone->group()->usedByHelperThread())
         return;
 
     WorkItem item(thing, contextName(), parentIndex);
     if (!stack.append(item))
         oom = true;
 }