Bug 701682 - Avoid write barrier when slowifying an array (r=bhackett)

2011-11-14 11:10:22 -08:00
parent 8f5d7e78c5
commit 149c5e0297
1 changed files with 10 additions and 1 deletions
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -1400,7 +1400,16 @@ JSObject::makeDenseArraySlow(JSContext *cx)
        if (slots[i].isMagic(JS_ARRAY_HOLE))
            continue;

-        setSlot(next, slots[i]);
+        /*
+         * No barrier is needed here because the set of reachable objects before
+         * and after slowification is the same. During slowification, the
+         * autoArray rooter guarantees that all slots will be marked.
+         *
+         * It's important that we avoid a barrier here because the fixed slots
+         * of a dense array can be garbage; a write barrier after the switch to
+         * a slow array could cause a crash.
+         */
+        initSlotUnchecked(next, slots[i]);

        if (!addDataProperty(cx, id, next, JSPROP_ENUMERATE)) {
            setMap(oldMap);