Bug 714616: fix write barrier in Array.shift, r=billm

--HG-- extra : rebase_source : 2fd10ab4cc3a93aee188ef6f9bbc388f66da2d37
2024-09-13 09:24:08 -07:00 · 2012-01-30 17:13:07 -08:00 · 2012-01-30 17:13:07 -08:00 · 0df5a8f252
commit 0df5a8f252
parent b1d42d538c
4 changed files with 19 additions and 3 deletions
--- a/js/src/jit-test/tests/basic/bug714616.js
+++ b/js/src/jit-test/tests/basic/bug714616.js
@ -0,0 +1,8 @@
+array1 = new Array();
+size   = 10;
+for (i = 0; i < size; (array1.length)++)
+{
+  array1.push(array1.shift());
+  ++i
+}
+
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@ -2506,7 +2506,7 @@ mjit::stubs::ArrayShift(VMFrame &f)
     * themselves.
     */
    uint32_t initlen = obj->getDenseArrayInitializedLength();
-    obj->moveDenseArrayElements(0, 1, initlen);
+    obj->moveDenseArrayElementsUnbarriered(0, 1, initlen);
 }
 #endif /* JS_METHODJIT */

@ -2533,7 +2533,7 @@ js::array_shift(JSContext *cx, uintN argc, Value *vp)
            args.rval() = obj->getDenseArrayElement(0);
            if (args.rval().isMagic(JS_ARRAY_HOLE))
                args.rval().setUndefined();
-            obj->moveDenseArrayElements(0, 1, length);
+            obj->moveDenseArrayElements(0, 1, obj->getDenseArrayInitializedLength() - 1);
            obj->setDenseArrayInitializedLength(obj->getDenseArrayInitializedLength() - 1);
            obj->setArrayLength(cx, length);
            if (!js_SuppressDeletedProperty(cx, obj, INT_TO_JSID(length)))
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -1066,6 +1066,7 @@ struct JSObject : js::gc::Cell
    inline void copyDenseArrayElements(uintN dstStart, const js::Value *src, uintN count);
    inline void initDenseArrayElements(uintN dstStart, const js::Value *src, uintN count);
    inline void moveDenseArrayElements(uintN dstStart, uintN srcStart, uintN count);
+    inline void moveDenseArrayElementsUnbarriered(uintN dstStart, uintN srcStart, uintN count);
    inline bool denseArrayHasInlineSlots() const;

    /* Packed information for this array. */
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@ -607,7 +607,7 @@ inline void
 JSObject::moveDenseArrayElements(uintN dstStart, uintN srcStart, uintN count)
 {
    JS_ASSERT(dstStart + count <= getDenseArrayCapacity());
-    JS_ASSERT(srcStart + count <= getDenseArrayCapacity());
+    JS_ASSERT(srcStart + count <= getDenseArrayInitializedLength());

    /*
     * Use a custom write barrier here since it's performance sensitive. We
@ -626,6 +626,13 @@ JSObject::moveDenseArrayElements(uintN dstStart, uintN srcStart, uintN count)
    memmove(elements + dstStart, elements + srcStart, count * sizeof(js::Value));
 }

+inline void
+JSObject::moveDenseArrayElementsUnbarriered(uintN dstStart, uintN srcStart, uintN count)
+{
+    JS_ASSERT(!compartment()->needsBarrier());
+    memmove(elements + dstStart, elements + srcStart, count * sizeof(js::Value));
+}
+
 inline bool
 JSObject::denseArrayHasInlineSlots() const
 {