Bug 1601074: Fix preliminary-objects-set issue wrt NEWOBJECT_WITHGROUP. r=iain a=jcristau
authorChris Fallin <cfallin@mozilla.com>
Wed, 04 Dec 2019 00:47:39 +0000
changeset 566728 a37ac55dc781df94eba9597dd082d33d17d7ff72
parent 566727 414f887a41f55000094f7820774c0b503632da16
child 566729 e6950b71c162daf4599b45265f60e1c31e57dff1
push id12390
push userarchaeopteryx@coole-files.de
push dateFri, 06 Dec 2019 18:33:17 +0000
treeherdermozilla-beta@8919727c131e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersiain, jcristau
bugs1601074, 1598347, 1580246
milestone72.0
Bug 1601074: Fix preliminary-objects-set issue wrt NEWOBJECT_WITHGROUP. r=iain a=jcristau The recent addition of the JSOP_NEWOBJECT_WITHGROUP opcode for bug 1598347 (itself a regression fix for 1580246) has led to an issue when more than a certain number of array elements with the same group are created within an array literal. In particular, when too many objects are created, the preliminary-objects-set for the ObjectGroup becomes full and hits a MOZ_CRASH. This patch avoids trying to add to the preliminary object set in the _WITHGROUP case. Differential Revision: https://phabricator.services.mozilla.com/D55736
js/src/jit-test/tests/basic/bug1601074.js
js/src/vm/Interpreter.cpp
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1601074.js
@@ -0,0 +1,13 @@
+for (let y of [
+      { x: 1 },
+      { x: 2 },
+      { x: 3 },
+      { x: 4 },
+      { x: 5 },
+      { x: 6 },
+      { x: 7 },
+      { x: 8 },
+      { x: 9 },
+      { x: 10 },
+      { x: 11 },
+]) {}
--- a/js/src/vm/Interpreter.cpp
+++ b/js/src/vm/Interpreter.cpp
@@ -5253,17 +5253,17 @@ JSObject* js::NewObjectOperation(JSConte
     return nullptr;
   }
 
   if (newKind == SingletonObject) {
     MOZ_ASSERT(obj->isSingleton());
   } else {
     obj->setGroup(group);
 
-    if (!IsInsideNursery(obj)) {
+    if (!withTemplateGroup) {
       AutoSweepObjectGroup sweep(group);
       if (PreliminaryObjectArray* preliminaryObjects =
               group->maybePreliminaryObjects(sweep)) {
         preliminaryObjects->registerNewObject(obj);
       }
     }
   }