Bug 1264823 - Add pre-barrier to the elements of mapIterationResultPair. r=jandem
authorTooru Fujisawa <arai_a@mac.com>
Fri, 22 Apr 2016 00:29:23 +0900
changeset 332210 cdcf362a0234ad70425b14c4d58568d7bd66381b
parent 332209 b1e8dbf2f4c92666991b0a026dfbc8fa0fa26826
child 332211 b41c3ceb94d42a39b31349e6e29b227521fc15b8
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs1264823
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1264823 - Add pre-barrier to the elements of mapIterationResultPair. r=jandem
js/src/builtin/MapObject.cpp
js/src/jit-test/tests/auto-regress/bug1264823.js
js/src/jit/CodeGenerator.cpp
--- a/js/src/builtin/MapObject.cpp
+++ b/js/src/builtin/MapObject.cpp
@@ -195,28 +195,16 @@ MapIteratorObject::next(JSContext* cx, H
     // The array should be tenured, so that post-barrier can be done simply.
     MOZ_ASSERT(resultPairObj->isTenured());
 
     // The array elements should be fixed.
     MOZ_ASSERT(resultPairObj->hasFixedElements());
     MOZ_ASSERT(resultPairObj->getDenseInitializedLength() == 2);
     MOZ_ASSERT(resultPairObj->getDenseCapacity() >= 2);
 
-#ifdef DEBUG
-    // The array elements should be null, so that inlined
-    // _GetNextMapEntryForIterator doesn't have to perform pre-barrier.
-    RootedValue val(cx);
-    if (!GetElement(cx, resultPairObj, resultPairObj, 0, &val))
-        return false;
-    MOZ_ASSERT(val.isNull());
-    if (!GetElement(cx, resultPairObj, resultPairObj, 1, &val))
-        return false;
-    MOZ_ASSERT(val.isNull());
-#endif
-
     ValueMap::Range* range = MapIteratorObjectRange(mapIterator);
     if (!range || range->empty()) {
         js_delete(range);
         mapIterator->setReservedSlot(RangeSlot, PrivateValue(nullptr));
         return true;
     }
     switch (mapIterator->kind()) {
       case MapObject::Keys:
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/auto-regress/bug1264823.js
@@ -0,0 +1,11 @@
+if (!('oomTest' in this))
+    quit();
+
+loadFile("");
+loadFile("");
+loadFile(` function lalala() {}
+    new Map([[1, 2]]).forEach(lalala)
+    `);
+function loadFile(lfVarx) oomTest(function() {
+    eval(lfVarx)
+})
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -6077,18 +6077,22 @@ CodeGenerator::visitGetNextMapEntryForIt
 
         Register front = iter;
         ValueMapRangeFront(masm, range, temp, front);
 
         size_t elementsOffset = NativeObject::offsetOfFixedElements();
 
         Address keyAddress(front, ValueMap::Entry::offsetOfKey());
         Address valueAddress(front, ValueMap::Entry::offsetOfValue());
-        masm.storeValue(keyAddress, Address(result, elementsOffset), temp);
-        masm.storeValue(valueAddress, Address(result, elementsOffset + sizeof(Value)), temp);
+        Address keyElemAddress(result, elementsOffset);
+        Address valueElemAddress(result, elementsOffset + sizeof(Value));
+        masm.patchableCallPreBarrier(keyElemAddress, MIRType_Value);
+        masm.patchableCallPreBarrier(valueElemAddress, MIRType_Value);
+        masm.storeValue(keyAddress, keyElemAddress, temp);
+        masm.storeValue(valueAddress, valueElemAddress, temp);
 
         Label keyIsNotObject, valueIsNotNurseryObject, emitBarrier;
         masm.branchTestObject(Assembler::NotEqual, keyAddress, &keyIsNotObject);
         masm.branchValueIsNurseryObject(Assembler::Equal, keyAddress, temp,
                                         &emitBarrier);
         masm.bind(&keyIsNotObject);
         masm.branchTestObject(Assembler::NotEqual, valueAddress, &valueIsNotNurseryObject);
         masm.branchValueIsNurseryObject(Assembler::NotEqual, valueAddress, temp,