diff --git a/js/src/jspropertytree.cpp b/js/src/jspropertytree.cpp index cd0eed70a3a1..57ea9112b0e5 100644 --- a/js/src/jspropertytree.cpp +++ b/js/src/jspropertytree.cpp @@ -278,10 +278,10 @@ Shape::fixupDictionaryShapeAfterMovingGC() return; // It's possible that this shape is unreachable and that listp points to the - // location of a dead object in the nursery. In this case we should never - // touch it again, so poison it for good measure. + // location of a dead object in the nursery, in which case we should never + // touch it again. if (IsInsideNursery(reinterpret_cast(listp))) { - JS_POISON(reinterpret_cast(this), JS_SWEPT_TENURED_PATTERN, sizeof(Shape)); + listp = nullptr; return; } diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp index 78e3df147836..034c2abfc2a5 100644 --- a/js/src/vm/Shape.cpp +++ b/js/src/vm/Shape.cpp @@ -443,11 +443,6 @@ js::NativeObject::toDictionaryMode(ThreadSafeContext *cx) { MOZ_ASSERT(!inDictionaryMode()); -#ifdef JSGC_COMPACTING - // TODO: This crashes if we run a compacting GC here. - js::AutoDisableCompactingGC nogc(zone()->runtimeFromAnyThread()); -#endif - /* We allocate the shapes from cx->compartment(), so make sure it's right. */ MOZ_ASSERT(cx->isInsideCurrentCompartment(this)); @@ -462,12 +457,9 @@ js::NativeObject::toDictionaryMode(ThreadSafeContext *cx) Rooted self(cx, this); - /* - * Clone the shapes into a new dictionary list. Don't update the - * last property of this object until done, otherwise a GC - * triggered while creating the dictionary will get the wrong - * slot span for this object. - */ + // Clone the shapes into a new dictionary list. Don't update the last + // property of this object until done, otherwise a GC triggered while + // creating the dictionary will get the wrong slot span for this object. RootedShape root(cx); RootedShape dictionaryShape(cx); @@ -481,13 +473,13 @@ js::NativeObject::toDictionaryMode(ThreadSafeContext *cx) return false; } - HeapPtrShape *listp = dictionaryShape - ? &dictionaryShape->parent - : (HeapPtrShape *) root.address(); - + HeapPtrShape *listp = dictionaryShape ? &dictionaryShape->parent : nullptr; StackShape child(shape); dprop->initDictionaryShape(child, self->numFixedSlots(), listp); + if (!dictionaryShape) + root = dprop; + MOZ_ASSERT(!dprop->hasTable()); dictionaryShape = dprop; shape = shape->previous(); @@ -498,7 +490,7 @@ js::NativeObject::toDictionaryMode(ThreadSafeContext *cx) return false; } - MOZ_ASSERT((Shape **) root->listp == root.address()); + MOZ_ASSERT(root->listp == nullptr); root->listp = &self->shape_; self->shape_ = root; diff --git a/js/src/vm/Shape.h b/js/src/vm/Shape.h index 969e06cea1e8..92e384e20346 100644 --- a/js/src/vm/Shape.h +++ b/js/src/vm/Shape.h @@ -703,7 +703,8 @@ class Shape : public gc::TenuredCell this->flags |= IN_DICTIONARY; this->listp = nullptr; - insertIntoDictionary(dictp); + if (dictp) + insertIntoDictionary(dictp); } /* Replace the base shape of the last shape in a non-dictionary lineage with base. */