Hold reference on entry in base shape table when populating initial shape, bug 698902.
authorBrian Hackett <bhackett1024@gmail.com>
Wed, 09 Nov 2011 12:04:56 -0800
changeset 82943 c12e37dbb2b7c03f4479584949448eb27b4e118f
parent 82942 8c8d32657502dbfce21bf3b93738f423cae739fc
child 82944 daf591298f5dbfa9100c72a3344f8afe79120226
push id519
push userakeybl@mozilla.com
push dateWed, 01 Feb 2012 00:38:35 +0000
treeherdermozilla-beta@788ea1ef610b [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
bugs698902
milestone10.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Hold reference on entry in base shape table when populating initial shape, bug 698902.
js/src/jsscope.cpp
--- a/js/src/jsscope.cpp
+++ b/js/src/jsscope.cpp
@@ -1283,20 +1283,27 @@ BaseShape::lookup(JSContext *cx, const B
     JSCompartment::BaseShapeEntry *entry = LookupBaseShape(cx, base);
     return entry ? entry->base : NULL;
 }
 
 /* static */ Shape *
 BaseShape::lookupInitialShape(JSContext *cx, Class *clasp, JSObject *parent,
                               AllocKind kind, uint32 objectFlags, Shape *initial)
 {
-    js::BaseShape base(clasp, parent, objectFlags);
+    BaseShape base(clasp, parent, objectFlags);
     JSCompartment::BaseShapeEntry *entry = LookupBaseShape(cx, base);
     if (!entry)
         return NULL;
+
+    /*
+     * Hold a reference on the entry's base shape, which will keep the entry
+     * from being swept during a GC under newShape below.
+     */
+    BaseShape *nbase = entry->base;
+
     if (!entry->shapes) {
         entry->shapes = cx->new_<ShapeKindArray>();
         if (!entry->shapes)
             return NULL;
     }
 
     Shape *&shape = entry->shapes->get(kind);
 
@@ -1306,17 +1313,17 @@ BaseShape::lookupInitialShape(JSContext 
     if (initial) {
         shape = initial;
         return initial;
     }
 
     shape = JS_PROPERTY_TREE(cx).newShape(cx);
     if (!shape)
         return NULL;
-    return new (shape) EmptyShape(entry->base, gc::GetGCKindSlots(kind, clasp));
+    return new (shape) EmptyShape(nbase, gc::GetGCKindSlots(kind, clasp));
 }
 
 /* static */ void
 BaseShape::insertInitialShape(JSContext *cx, AllocKind kind, const Shape *initial)
 {
     JSCompartment::BaseShapeEntry *entry = LookupBaseShape(cx, *initial->base());
     JS_ASSERT(entry && entry->base == initial->base() && entry->shapes);
     entry->shapes->get(kind) = const_cast<Shape *>(initial);