Bug 1496378 part 5 - Clean up ArrayBufferViewObject::trace. r=jwalden
authorJan de Mooij <jdemooij@mozilla.com>
Mon, 15 Oct 2018 11:42:35 +0000
changeset 499723 b449c4991dc4153716f7d53173a14f7a29284616
parent 499722 992c0bd2f327fd11fa790814162621f77080eb6b
child 499724 8886fad423dc0f7de57b96512b5680eecc2733ba
push id1864
push userffxbld-merge
push dateMon, 03 Dec 2018 15:51:40 +0000
treeherdermozilla-release@f040763d99ad [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjwalden
bugs1496378
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1496378 part 5 - Clean up ArrayBufferViewObject::trace. r=jwalden Depends on D7724 Differential Revision: https://phabricator.services.mozilla.com/D7727
js/src/vm/ArrayBufferViewObject.cpp
js/src/vm/TypedArrayObject.cpp
js/src/vm/TypedArrayObject.h
--- a/js/src/vm/ArrayBufferViewObject.cpp
+++ b/js/src/vm/ArrayBufferViewObject.cpp
@@ -20,59 +20,39 @@ using namespace js;
  * This method is used to trace TypedArrayObjects and DataViewObjects. We need
  * a custom tracer to move the object's data pointer if its owner was moved and
  * stores its data inline.
  */
 /* static */ void
 ArrayBufferViewObject::trace(JSTracer* trc, JSObject* objArg)
 {
     NativeObject* obj = &objArg->as<NativeObject>();
-    HeapSlot& bufSlot = obj->getFixedSlotRef(TypedArrayObject::BUFFER_SLOT);
-    TraceEdge(trc, &bufSlot, "typedarray.buffer");
+    HeapSlot& bufSlot = obj->getFixedSlotRef(BUFFER_SLOT);
+    TraceEdge(trc, &bufSlot, "ArrayBufferViewObject.buffer");
 
     // Update obj's data pointer if it moved.
     if (bufSlot.isObject()) {
         if (IsArrayBuffer(&bufSlot.toObject())) {
             ArrayBufferObject& buf = AsArrayBuffer(MaybeForwarded(&bufSlot.toObject()));
-            uint32_t offset = uint32_t(obj->getFixedSlot(TypedArrayObject::BYTEOFFSET_SLOT).toInt32());
+            uint32_t offset = uint32_t(obj->getFixedSlot(BYTEOFFSET_SLOT).toInt32());
             MOZ_ASSERT(offset <= INT32_MAX);
 
-            if (buf.forInlineTypedObject()) {
-                MOZ_ASSERT(buf.dataPointer() != nullptr);
-
-                // The data is inline with an InlineTypedObject associated with the
-                // buffer. Get a new address for the typed object if it moved.
-                JSObject* view = buf.firstView();
-
-                // Mark the object to move it into the tenured space.
-                TraceManuallyBarrieredEdge(trc, &view, "typed array nursery owner");
-                MOZ_ASSERT(view->is<InlineTypedObject>());
-                MOZ_ASSERT(view != obj);
-
-                size_t nfixed = obj->numFixedSlotsMaybeForwarded();
-                void* srcData = obj->getPrivate(nfixed);
-                void* dstData = view->as<InlineTypedObject>().inlineTypedMemForGC() + offset;
-                obj->setPrivateUnbarriered(nfixed, dstData);
+            // We don't expose the underlying ArrayBuffer for typed objects,
+            // and we don't allow constructing a TypedObject from an arbitrary
+            // ArrayBuffer, so we should never have a TypedArray/DataView with
+            // a buffer that has TypedObject views.
+            MOZ_RELEASE_ASSERT(!buf.forInlineTypedObject());
 
-                // We can't use a direct forwarding pointer here, as there might
-                // not be enough bytes available, and other views might have data
-                // pointers whose forwarding pointers would overlap this one.
-                if (trc->isTenuringTracer()) {
-                    Nursery& nursery = trc->runtime()->gc.nursery();
-                    nursery.maybeSetForwardingPointer(trc, srcData, dstData, /* direct = */ false);
-                }
-            } else {
-                MOZ_ASSERT_IF(buf.dataPointer() == nullptr, offset == 0);
+            MOZ_ASSERT_IF(buf.dataPointer() == nullptr, offset == 0);
 
-                // The data may or may not be inline with the buffer. The buffer
-                // can only move during a compacting GC, in which case its
-                // objectMoved hook has already updated the buffer's data pointer.
-                size_t nfixed = obj->numFixedSlotsMaybeForwarded();
-                obj->setPrivateUnbarriered(nfixed, buf.dataPointer() + offset);
-            }
+            // The data may or may not be inline with the buffer. The buffer
+            // can only move during a compacting GC, in which case its
+            // objectMoved hook has already updated the buffer's data pointer.
+            size_t nfixed = obj->numFixedSlotsMaybeForwarded();
+            obj->setPrivateUnbarriered(nfixed, buf.dataPointer() + offset);
         }
     }
 }
 
 template <>
 bool
 JSObject::is<js::ArrayBufferViewObject>() const
 {
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@@ -128,23 +128,16 @@ TypedArrayObject::assertZeroLengthArrayD
 {
     if (length() == 0 && !hasBuffer()) {
         uint8_t* end = fixedData(TypedArrayObject::FIXED_DATA_START);
         MOZ_ASSERT(end[0] == ZeroLengthArrayData);
     }
 }
 #endif
 
-/* static */ void
-TypedArrayObject::trace(JSTracer* trc, JSObject* objArg)
-{
-    // Handle all tracing required when the object has a buffer.
-    ArrayBufferViewObject::trace(trc, objArg);
-}
-
 void
 TypedArrayObject::finalize(FreeOp* fop, JSObject* obj)
 {
     MOZ_ASSERT(!IsInsideNursery(obj));
     TypedArrayObject* curObj = &obj->as<TypedArrayObject>();
 
     // Template objects or discarded objects (which didn't have enough room
     // for inner elements). Don't have anything to free.
@@ -2030,17 +2023,17 @@ static const ClassOps TypedArrayClassOps
     nullptr,                 /* enumerate   */
     nullptr,                 /* newEnumerate */
     nullptr,                 /* resolve     */
     nullptr,                 /* mayResolve  */
     TypedArrayObject::finalize, /* finalize    */
     nullptr,                 /* call        */
     nullptr,                 /* hasInstance */
     nullptr,                 /* construct   */
-    TypedArrayObject::trace, /* trace  */
+    ArrayBufferViewObject::trace, /* trace  */
 };
 
 static const ClassExtension TypedArrayClassExtension = {
     nullptr,
     TypedArrayObject::objectMoved,
 };
 
 #define IMPL_TYPED_ARRAY_PROPERTIES(_type)                                     \
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@@ -146,17 +146,16 @@ class TypedArrayObject : public ArrayBuf
      * Byte length above which created typed arrays will have singleton types
      * regardless of the context in which they are created. This only applies to
      * typed arrays created with an existing ArrayBuffer.
      */
     static const uint32_t SINGLETON_BYTE_LENGTH = 1024 * 1024 * 10;
 
     static bool isOriginalLengthGetter(Native native);
 
-    static void trace(JSTracer* trc, JSObject* obj);
     static void finalize(FreeOp* fop, JSObject* obj);
     static size_t objectMoved(JSObject* obj, JSObject* old);
 
     /* Initialization bits */
 
     template<Value ValueGetter(const TypedArrayObject* tarr)>
     static bool
     GetterImpl(JSContext* cx, const CallArgs& args)