Bug 906243 - Handle shrinkSlots correctly for nursery things; r=jonco

--HG--
extra : rebase_source : 7c7a94b64d6227f701590d9da14cd6e6f0cde019

js/src/gc/Nursery.cpp

@@ -181,6 +181,15 @@ js::Nursery::reallocateElements(JSContext *cx, JSObject *obj, ObjectElements *ol
     return reinterpret_cast<ObjectElements *>(slots);
 }
 
+void
+js::Nursery::freeSlots(JSContext *cx, HeapSlot *slots)
+{
+    if (!isInside(slots)) {
+        hugeSlots.remove(slots);
+        js_free(slots);
+    }
+}
+
 HeapSlot *
 js::Nursery::allocateHugeSlots(JSContext *cx, size_t nslots)
 {

js/src/gc/Nursery.h

@@ -79,6 +79,9 @@ class Nursery
     ObjectElements *reallocateElements(JSContext *cx, JSObject *obj, ObjectElements *oldHeader,
                                        uint32_t oldCount, uint32_t newCount);
 
+    /* Free a slots array. */
+    void freeSlots(JSContext *cx, HeapSlot *slots);
+
     /* Add a slots to our tracking list if it is out-of-line. */
     void notifyInitialSlots(gc::Cell *cell, HeapSlot *slots);
 

js/src/jit-test/tests/gc/bug-906243.js

@@ -0,0 +1,12 @@
+a2 = []
+g = function() r
+Object.defineProperty(a2, 0, {
+    set: function() {}
+})
+for (var x = 0; x < 70; ++x) {
+    Array.prototype.unshift.call(a2, g)
+}
+a2.length = 8
+for each(e in [0, 0]) {
+    Array.prototype.shift.call(a2)
+}

js/src/jsobj.cpp

@@ -2587,9 +2587,10 @@ FreeSlots(ExclusiveContext *cx, HeapSlot *slots)
 {
     // Note: threads without a JSContext do not have access to nursery allocated things.
 #ifdef JSGC_GENERATIONAL
-    if (!cx->isJSContext() || !cx->asJSContext()->runtime()->gcNursery.isInside(slots))
+    if (cx->isJSContext())
+        return cx->asJSContext()->runtime()->gcNursery.freeSlots(cx->asJSContext(), slots);
 #endif
-        js_free(slots);
+    js_free(slots);
 }
 
 /* static */ void