Add incremental GC barrier for generator frames associated with args/call objects, bug 716013. r=billm

2024-09-13 09:24:08 -07:00 · 2012-01-23 13:59:04 -08:00 · 2012-01-23 13:59:04 -08:00 · 07c3a6041b
commit 07c3a6041b
parent 83e209b524
2 changed files with 15 additions and 0 deletions
--- a/js/src/jit-test/tests/basic/bug716013.js
+++ b/js/src/jit-test/tests/basic/bug716013.js
@ -0,0 +1,4 @@
+f = (function() {
+    for (x in [arguments, arguments]) yield(gczeal(4, function(){}))
+})
+for (i in f()) {}
--- a/js/src/vm/Stack.cpp
+++ b/js/src/vm/Stack.cpp
@ -794,6 +794,17 @@ ContextStack::pushGeneratorFrame(JSContext *cx, JSGenerator *gen, GeneratorFrame
    gfg->gen_ = gen;
    gfg->stackvp_ = stackvp;

+    /*
+     * Trigger incremental barrier on the floating frame's generator object.
+     * This is normally traced through only by associated arguments/call
+     * objects, but only when the generator is not actually on the stack.
+     * We don't need to worry about generational barriers as the generator
+     * object has a trace hook and cannot be nursery allocated.
+     */
+    JSObject *genobj = js_FloatingFrameToGenerator(genfp)->obj;
+    JS_ASSERT(genobj->getClass()->trace);
+    JSObject::writeBarrierPre(genobj);
+
    /* Copy from the generator's floating frame to the stack. */
    stackfp->stealFrameAndSlots(stackvp, genfp, genvp, gen->regs.sp);
    stackfp->resetGeneratorPrev(cx);