commit 05a63407bb5119cc91dfbe73171eacbdb47a29e4
parent 0eb57901407a79db6d37a2624afe1d7f49bbf571
Author: André Bargull <andre.bargull@gmail.com>
Date: Fri, 24 Oct 2025 07:59:43 +0000
Bug 1995764: Suppress GC when trying to inline native getters in GetPropIRGenerator. r=jandem
`InlinableNativeIRGenerator` can perform GC operations when allocating template
objects, so we have to suppress GC when called from `GetPropIRGenerator`,
because alredy written stub fields aren't currently traced. See also
`CacheIRWriter::trace()`.
Differential Revision: https://phabricator.services.mozilla.com/D269750
Diffstat:
1 file changed, 5 insertions(+), 0 deletions(-)
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
@@ -2454,6 +2454,11 @@ AttachDecision GetPropIRGenerator::tryAttachInlinableNativeGetter(
Handle<NativeObject*> holder, PropertyInfo prop, ValOperandId receiverId) {
MOZ_ASSERT(mode_ == ICState::Mode::Specialized);
+ // Suppress GC because |CacheIRWriter::trace()| doesn't yet support stub
+ // field tracing and stub fields were already added for shape and prototype
+ // guards.
+ gc::AutoSuppressGC suppressGC(cx_);
+
Rooted<JSFunction*> target(cx_, &holder->getGetter(prop)->as<JSFunction>());
MOZ_ASSERT(target->isNativeWithoutJitEntry());
