Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2025-01-07 11:56:51 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1709537 - Remove property from shape table after (instead of before) removing it from the shape list. r=jonco

Browse Source 
In canSkipMarkingShapeCache we're now a bit more strict and assert that every shape
in the shape lineage is also found in the ShapeTable. However when removing a dictionary
property we first removed the entry from the ShapeTable and we can then assert as part
of the pre-barrier (verifier) when removing the shape from the shape list.

Differential Revision: https://phabricator.services.mozilla.com/D114581
This commit is contained in:
Jan de Mooij 2021-05-10 14:54:53 +00:00
parent 6b4cfa1f77
commit 233233ba3c
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
js/src/jit-test/tests/gc/bug1709537.js Normal file
View File

@ -0,0 +1,9 @@
function f() {
var obj = [];
for (var count = 20000; count > 15900; count--) {
obj[count] = 2;
}
assertEq(Object.getOwnPropertyNames(obj).length, 4101);
}
gczeal(4);
f();

14
js/src/vm/Shape.cpp
View File

@ -974,6 +974,10 @@ void NativeObject::removeDictionaryPropertyWithoutReshape(ShapeTable* table,
Shape* shape) {
// Removes a property from a dictionary object. The caller is responsible for
// generating a new shape for the object.
//
// A dictionary-mode object owns mutable, unique shapes on a non-circular
// doubly linked list, hashed by lastProperty()->table. So we can edit the
// list and table in place.
AutoCheckCannotGC nogc;
MOZ_ASSERT(inDictionaryMode());
@ -985,14 +989,10 @@ void NativeObject::removeDictionaryPropertyWithoutReshape(ShapeTable* table,
freeDictionarySlot(table, shape->slot());
}
// A dictionary-mode object owns mutable, unique shapes on a non-circular
// doubly linked list, hashed by lastProperty()->table. So we can edit the
// list and table in place.
table->remove(ptr);
// Remove shape from its non-circular doubly linked list.
// Remove shape from its non-circular doubly linked list and from the table.
bool removingLastProperty = (shape == lastProperty());
shape->removeFromDictionary(this);
table->remove(ptr);
// If we just removed the object's last property, move its ShapeTable,
// BaseShape and object flags to the new last property. Information in
@ -1123,6 +1123,8 @@ bool NativeObject::densifySparseElements(JSContext* cx,
obj->removeDictionaryPropertyWithoutReshape(table, ptr, shape);
shape = previous;
}
MOZ_ASSERT(obj->lastProperty()->maybeTable(nogc) == table);
}
// Generate a new shape for the object, infallibly.