tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit b56e4e2c3b1597960913d606d526f149eb40952c
parent fbe064140317cc4aeb5378bd40a1ddb9e9d9e1c5
Author: Jan de Mooij <jdemooij@mozilla.com>
Date:   Tue, 18 Nov 2025 12:03:03 +0000

Bug 1992990 part 3 - Add read barrier to ShapeListObject::get. r=iain

`ShapeListObject` has weak pointers to shapes, so we'll need a read barrier when
copying shapes to the Warp snapshot.

This patch adds `getUnbarriered` for the current `get` use in a debug assertion
where this read barrier is not needed and actually undesirable (side-effect in
debug-only code).

Differential Revision: https://phabricator.services.mozilla.com/D272479

Diffstat:

Mjs/src/jit/BaselineCacheIRCompiler.cpp | 13++++++++++---


Mjs/src/jit/BaselineCacheIRCompiler.h | 4+++-


2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/js/src/jit/BaselineCacheIRCompiler.cpp b/js/src/jit/BaselineCacheIRCompiler.cpp
@@ -2071,7 +2071,13 @@ const JSClassOps ShapeListObject::classOps_ = {
   return &obj->as<ShapeListObject>();
 }
 
-Shape* ShapeListObject::get(uint32_t index) {
+Shape* ShapeListObject::get(uint32_t index) const {
+  Shape* shape = getUnbarriered(index);
+  gc::ReadBarrier(shape);
+  return shape;
+}
+
+Shape* ShapeListObject::getUnbarriered(uint32_t index) const {
   Value value = ListObject::get(index);
   return static_cast<Shape*>(value.toPrivate());
 }
@@ -2377,9 +2383,10 @@ static bool AddToFoldedStub(JSContext* cx, const CacheIRWriter& writer,
         // The assert verifies this property by checking the first element has
         // the same realm (and since everything in the list has the same realm,
         // checking the first element suffices)
+        Realm* shapesRealm = foldedShapes->realm();
         MOZ_ASSERT_IF(!foldedShapes->isEmpty(),
-                      foldedShapes->get(0)->realm() == foldedShapes->realm());
-        if (foldedShapes->realm() != shape->realm()) {
+                      foldedShapes->getUnbarriered(0)->realm() == shapesRealm);
+        if (shapesRealm != shape->realm()) {
           return false;
         }
 
diff --git a/js/src/jit/BaselineCacheIRCompiler.h b/js/src/jit/BaselineCacheIRCompiler.h
@@ -179,7 +179,9 @@ class ShapeListObject : public ListObject {
   static ShapeListObject* create(JSContext* cx);
   static void trace(JSTracer* trc, JSObject* obj);
 
-  Shape* get(uint32_t index);
+  Shape* get(uint32_t index) const;
+  Shape* getUnbarriered(uint32_t index) const;
+
   bool traceWeak(JSTracer* trc);
 };