Bug 1296015 - Don't allocate typed arrays with the wrong AllocKind when tenuring. r=terrence,smvv
authorJan de Mooij <jdemooij@mozilla.com>
Wed, 07 Sep 2016 12:49:00 +0200
changeset 354300 b48c0088fad27760cbae9733af3d6e3e0afad5df
parent 354299 c1c9882472df9624b37436208c278021a9b0ff44
child 354301 b3b4d243d1e2f7e0466c34b72badbd6524742c06
push id6570
push userraliiev@mozilla.com
push dateMon, 14 Nov 2016 12:26:13 +0000
treeherdermozilla-beta@f455459b2ae5 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersterrence, smvv
bugs1296015
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1296015 - Don't allocate typed arrays with the wrong AllocKind when tenuring. r=terrence,smvv
js/src/jit-test/tests/basic/bug1296015.js
js/src/vm/TypedArrayObject.h
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/basic/bug1296015.js
@@ -0,0 +1,9 @@
+function f() {
+    for (var i=0; i<30000; i++) {
+        var a = inIon() ? 0 : 300;
+        var buf = new Uint8ClampedArray(a);
+        (function() {}) * this;
+    }
+    try {} catch(e) {}
+}
+f();
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -115,18 +115,17 @@ class TypedArrayObject : public NativeOb
     // object is created lazily.
     static const uint32_t INLINE_BUFFER_LIMIT =
         (NativeObject::MAX_FIXED_SLOTS - FIXED_DATA_START) * sizeof(Value);
 
     static gc::AllocKind
     AllocKindForLazyBuffer(size_t nbytes)
     {
         MOZ_ASSERT(nbytes <= INLINE_BUFFER_LIMIT);
-        /* For GGC we need at least one slot in which to store a forwarding pointer. */
-        size_t dataSlots = Max(size_t(1), AlignBytes(nbytes, sizeof(Value)) / sizeof(Value));
+        size_t dataSlots = AlignBytes(nbytes, sizeof(Value)) / sizeof(Value);
         MOZ_ASSERT(nbytes <= dataSlots * sizeof(Value));
         return gc::GetGCObjectKind(FIXED_DATA_START + dataSlots);
     }
 
     inline Scalar::Type type() const;
     inline size_t bytesPerElement() const;
 
     static Value bufferValue(TypedArrayObject* tarr) {