Bug 1010947 - Nursery: tenuredSize is computed incorrectly for ArrayObject objects. r=jonco

2024-09-13 09:24:08 -07:00 · 2014-06-06 09:44:02 +02:00 · 2014-06-06 09:44:02 +02:00 · 84c691ea1a
commit 84c691ea1a
parent 718adcc924
1 changed files with 5 additions and 1 deletions
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@ -583,9 +583,13 @@ js::Nursery::moveObjectToTenured(JSObject *dst, JSObject *src, AllocKind dstKind
     * Arrays do not necessarily have the same AllocKind between src and dst.
     * We deal with this by copying elements manually, possibly re-inlining
     * them if there is adequate room inline in dst.
+     *
+     * For Arrays we're reducing tenuredSize to the smaller srcSize
+     * because moveElementsToTenured() accounts for all Array elements,
+     * even if they are inlined.
     */
    if (src->is<ArrayObject>())
-        srcSize = sizeof(ObjectImpl);
+        tenuredSize = srcSize = sizeof(ObjectImpl);

    js_memcpy(dst, src, srcSize);
    tenuredSize += moveSlotsToTenured(dst, src, dstKind);