Bug 1105232 - Remove race updating COW shared elements owner pointer r=terrence

This commit is contained in:
Jon Coppeard 2014-12-04 10:15:20 -08:00
parent 14560bf45f
commit a1ac996177
2 changed files with 17 additions and 5 deletions

View File

@ -2194,9 +2194,22 @@ RelocateCell(Zone *zone, TenuredCell *src, AllocKind thingKind, size_t thingSize
JSObject *srcObj = static_cast<JSObject *>(static_cast<Cell *>(src));
JSObject *dstObj = static_cast<JSObject *>(static_cast<Cell *>(dst));
// Fixup the pointer to inline object elements if necessary.
if (srcObj->isNative() && srcObj->as<NativeObject>().hasFixedElements())
dstObj->as<NativeObject>().setFixedElements();
if (srcObj->isNative()) {
NativeObject *srcNative = &srcObj->as<NativeObject>();
NativeObject *dstNative = &dstObj->as<NativeObject>();
// Fixup the pointer to inline object elements if necessary.
if (srcNative->hasFixedElements())
dstNative->setFixedElements();
// For copy-on-write objects that own their elements, fix up the
// owner pointer to point to the relocated object.
if (srcNative->hasDynamicElements() && srcNative->denseElementsAreCopyOnWrite()) {
HeapPtrNativeObject &owner = srcNative->getElementsHeader()->ownerObject();
if (owner == srcNative)
owner = dstNative;
}
}
// Call object moved hook if present.
if (JSObjectMovedOp op = srcObj->getClass()->ext.objectMovedOp)

View File

@ -2768,8 +2768,7 @@ JSObject::fixupAfterMovingGC()
if (is<NativeObject>() && as<NativeObject>().hasDynamicElements()) {
ObjectElements *header = as<NativeObject>().getElementsHeader();
if (header->isCopyOnWrite()) {
HeapPtrNativeObject &owner = header->ownerObject();
owner = MaybeForwarded(owner.get());
NativeObject *owner = MaybeForwarded(header->ownerObject().get());
as<NativeObject>().elements_ = owner->getElementsHeader()->elements();
}
}