Bug 1203790 - Trigger a pre barrier when shrinking the initialized length of unboxed arrays, r=jandem.

This commit is contained in:
Brian Hackett 2015-09-22 09:15:46 -06:00
parent 65b10d348f
commit 3426511eb3
3 changed files with 33 additions and 6 deletions

View File

@ -0,0 +1,10 @@
gczeal(14);
verifyprebarriers();
x = [];
Array.prototype.push.call(x, new Uint8Array());
Array.prototype.some.call(x, function() {
try {
y.toString();
} catch (e) {}
});
Array.prototype.shift.call(x);

View File

@ -192,6 +192,28 @@ UnboxedArrayObject::setLength(ExclusiveContext* cx, uint32_t length)
length_ = length;
}
inline void
UnboxedArrayObject::setInitializedLength(uint32_t initlen)
{
MOZ_ASSERT(initlen <= InitializedLengthMask);
if (initlen < initializedLength()) {
switch (elementType()) {
case JSVAL_TYPE_STRING:
for (size_t i = initlen; i < initializedLength(); i++)
triggerPreBarrier<JSVAL_TYPE_STRING>(i);
break;
case JSVAL_TYPE_OBJECT:
for (size_t i = initlen; i < initializedLength(); i++)
triggerPreBarrier<JSVAL_TYPE_OBJECT>(i);
break;
default:
MOZ_ASSERT(!UnboxedTypeNeedsPreBarrier(elementType()));
}
}
capacityIndexAndInitializedLength_ =
(capacityIndexAndInitializedLength_ & CapacityMask) | initlen;
}
template <JSValueType Type>
inline bool
UnboxedArrayObject::setElementSpecific(ExclusiveContext* cx, size_t index, const Value& v)

View File

@ -497,12 +497,7 @@ class UnboxedArrayObject : public JSObject
}
inline void setLength(ExclusiveContext* cx, uint32_t len);
void setInitializedLength(uint32_t initlen) {
MOZ_ASSERT(initlen <= InitializedLengthMask);
capacityIndexAndInitializedLength_ =
(capacityIndexAndInitializedLength_ & CapacityMask) | initlen;
}
inline void setInitializedLength(uint32_t initlen);
private:
void setInlineElements() {