Bug 1396931 - Simplify sweeping of dictionary mode objects allocated in the nursery r=sfink

2024-10-22 17:55:50 +00:00 · 2017-09-06 09:07:09 +01:00 · 2017-09-06 09:07:09 +01:00 · 8a6867261a
commit 8a6867261a
parent dd357608a2
4 changed files with 16 additions and 6 deletions
--- a/js/src/gc/Marking.cpp
+++ b/js/src/gc/Marking.cpp
@ -2975,12 +2975,8 @@ js::TenuringTracer::moveObjectToTenured(JSObject* dst, JSObject* src, AllocKind
        tenuredSize += moveSlotsToTenured(ndst, nsrc, dstKind);
        tenuredSize += moveElementsToTenured(ndst, nsrc, dstKind);

-        // The shape's list head may point into the old object. This can only
-        // happen for dictionaries, which are native objects.
-        if (&nsrc->shape_ == ndst->shape_->listp) {
-            MOZ_ASSERT(nsrc->shape_->inDictionary());
-            ndst->shape_->listp = &ndst->shape_;
-        }
+        // There is a pointer into a dictionary mode object from the head of its
+        // shape list. This is updated in Nursery::sweepDictionaryModeObjects().
    }

    if (src->is<InlineTypedObject>()) {
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@ -1079,6 +1079,8 @@ js::Nursery::sweepDictionaryModeObjects()
    for (auto obj : dictionaryModeObjects_) {
        if (!IsForwarded(obj))
            obj->sweepDictionaryListPointer();
+        else
+            Forwarded(obj)->updateDictionaryListPointerAfterMinorGC(obj);
    }
    dictionaryModeObjects_.clear();
 }
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@ -143,6 +143,17 @@ js::NativeObject::sweepDictionaryListPointer()
        shape_->listp = nullptr;
 }

+MOZ_ALWAYS_INLINE void
+js::NativeObject::updateDictionaryListPointerAfterMinorGC(NativeObject* old)
+{
+    MOZ_ASSERT(this == Forwarded(old));
+
+    // Dictionary objects can be allocated in the nursery and when they are
+    // tenured the shape's pointer into the object needs to be updated.
+    if (shape_->listp == &old->shape_)
+        shape_->listp = &shape_;
+}
+
 /* static */ inline bool
 JSObject::setSingleton(JSContext* cx, js::HandleObject obj)
 {
--- a/js/src/vm/NativeObject.h
+++ b/js/src/vm/NativeObject.h
@ -1344,6 +1344,7 @@ class NativeObject : public ShapedObject

    void updateShapeAfterMovingGC();
    void sweepDictionaryListPointer();
+    void updateDictionaryListPointerAfterMinorGC(NativeObject* old);

    /* JIT Accessors */
    static size_t offsetOfElements() { return offsetof(NativeObject, elements_); }