Bug 1134146 - Use whole cell store buffer entries for unboxed object updates, r=jandem.

js/src/gc/Barrier.h

@@ -748,6 +748,7 @@ class JitCode;
 typedef PreBarriered<JSObject*> PreBarrieredObject;
 typedef PreBarriered<JSScript*> PreBarrieredScript;
 typedef PreBarriered<jit::JitCode*> PreBarrieredJitCode;
+typedef PreBarriered<JSString*> PreBarrieredString;
 typedef PreBarriered<JSAtom*> PreBarrieredAtom;
 
 typedef RelocatablePtr<JSObject*> RelocatablePtrObject;

js/src/jit-test/tests/basic/bug1134146.js

@@ -0,0 +1,10 @@
+
+function Foo(a, b) {
+    b = {};
+    this.b = b;
+};
+var a = [];
+for (var i = 0; i < 50; i++)
+    a.push(new Foo(i, i + 1));
+i = 0;
+a[i].c = i;

js/src/vm/UnboxedObject.cpp

@@ -87,7 +87,8 @@ UnboxedPlainObject::setValue(JSContext *cx, const UnboxedLayout::Property &prope
 
       case JSVAL_TYPE_STRING:
         if (v.isString()) {
-            *reinterpret_cast<HeapPtrString*>(p) = v.toString();
+            MOZ_ASSERT(!IsInsideNursery(v.toString()));
+            *reinterpret_cast<PreBarrieredString*>(p) = v.toString();
             return true;
         }
         return false;
@@ -99,7 +100,14 @@ UnboxedPlainObject::setValue(JSContext *cx, const UnboxedLayout::Property &prope
             // created.
             AddTypePropertyId(cx, this, NameToId(property.name), v);
 
-            *reinterpret_cast<HeapPtrObject*>(p) = v.toObjectOrNull();
+            // Manually trigger post barriers on the whole object. If we treat
+            // the pointer as a HeapPtrObject we will get confused later if the
+            // object is converted to its native representation.
+            JSObject *obj = v.toObjectOrNull();
+            if (IsInsideNursery(v.toObjectOrNull()) && !IsInsideNursery(this))
+                cx->runtime()->gc.storeBuffer.putWholeCellFromMainThread(this);
+
+            *reinterpret_cast<PreBarrieredObject*>(p) = obj;
             return true;
         }
         return false;