commit b93f2b4739e34d80c545d9178bfee4e0a21f8f0f
parent d1de417bc4755c51bc0d492c4b688f603145e626
Author: Jon Coppeard <jcoppeard@mozilla.com>
Date: Fri, 14 Nov 2025 10:44:24 +0000
Bug 1999749 - Check for previously marked buffers when marking nursery-owned buffers r=sfink
This issue only affects semispace nursery collection which is not enabled by
default, and can only cause a heap account discrepancy.
Differential Revision: https://phabricator.services.mozilla.com/D272424
Diffstat:
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/js/src/gc/BufferAllocator.cpp b/js/src/gc/BufferAllocator.cpp
@@ -804,6 +804,11 @@ void BufferAllocator::markSmallNurseryOwnedBuffer(void* alloc,
MOZ_ASSERT(region->hasNurseryOwnedAllocs());
MOZ_ASSERT(region->isNurseryOwned(alloc));
+ if (region->isMarked(alloc)) {
+ MOZ_ASSERT(nurseryOwned);
+ return;
+ }
+
if (!nurseryOwned) {
region->setNurseryOwned(alloc, false);
// If all nursery owned allocations in the region were tenured then
@@ -822,7 +827,11 @@ void BufferAllocator::markMediumNurseryOwnedBuffer(void* alloc,
MOZ_ASSERT(chunk->hasNurseryOwnedAllocs);
MOZ_ASSERT(chunk->isAllocated(alloc));
MOZ_ASSERT(chunk->isNurseryOwned(alloc));
- MOZ_ASSERT(!chunk->isMarked(alloc));
+
+ if (chunk->isMarked(alloc)) {
+ MOZ_ASSERT(nurseryOwned);
+ return;
+ }
size_t size = chunk->allocBytes(alloc);
increaseHeapSize(size, nurseryOwned, false, false);
@@ -845,6 +854,7 @@ void BufferAllocator::markLargeNurseryOwnedBuffer(LargeBuffer* buffer,
// been marked.
auto* region = SmallBufferRegion::from(buffer);
MOZ_ASSERT(region->isNurseryOwned(buffer));
+
if (region->isMarked(buffer)) {
MOZ_ASSERT(nurseryOwned);
return;
