Bug 1728565 part 4 - Remove support for objects with fixed data from the generic allocation path. r=sfink

Depends on D124326

Differential Revision: https://phabricator.services.mozilla.com/D124327

js/src/vm/JSObject-inl.h

@@ -132,6 +132,7 @@ inline bool JSObject::isUnqualifiedVarObj() const {
 
 namespace js {
 
+#ifdef DEBUG
 inline bool ClassCanHaveFixedData(const JSClass* clasp) {
   // Normally, the number of fixed slots given an object is the maximum
   // permitted for its size class. For array buffers and non-shared typed
@@ -141,6 +142,7 @@ inline bool ClassCanHaveFixedData(const JSClass* clasp) {
   return !clasp->isNativeObject() || clasp == &js::ArrayBufferObject::class_ ||
          js::IsTypedArrayClass(clasp);
 }
+#endif
 
 class MOZ_RAII AutoSuppressAllocationMetadataBuilder {
   JS::Zone* zone;

js/src/vm/JSObject.cpp

@@ -740,13 +740,12 @@ static inline NativeObject* NewObject(JSContext* cx, Handle<TaggedProto> proto,
   MOZ_ASSERT(clasp != &PlainObject::class_);
   MOZ_ASSERT(!clasp->isJSFunction());
 
-  // For objects which can have fixed data following the object, only use
-  // enough fixed slots to cover the number of reserved slots in the object,
-  // regardless of the allocation kind specified.
-  size_t nfixed = ClassCanHaveFixedData(clasp)
-                      ? GetGCKindSlots(gc::GetGCObjectKind(clasp))
-                      : GetGCKindSlots(kind);
+  // Computing nfixed based on the AllocKind isn't right for objects which can
+  // store fixed data inline (TypedArrays and ArrayBuffers) so for simplicity
+  // and performance reasons we don't support such objects here.
+  MOZ_ASSERT(!ClassCanHaveFixedData(clasp));
 
+  size_t nfixed = GetGCKindSlots(kind);
   RootedShape shape(
       cx, SharedShape::getInitialShape(cx, clasp, cx->realm(), proto, nfixed,
                                        objectFlags));