commit e057665e4ad369e0e5080c875a0075316155a4fa
parent 1e0c498a6482b72ce9d9813fdb267bddeb495fb3
Author: André Bargull <andre.bargull@gmail.com>
Date: Fri, 24 Oct 2025 09:20:16 +0000
Bug 1995764: Suppress GC when trying to inline native getters in GetPropIRGenerator. r=jandem
`InlinableNativeIRGenerator` can perform GC operations when allocating template
objects, so we have to suppress GC when called from `GetPropIRGenerator`,
because alredy written stub fields aren't currently traced. See also
`CacheIRWriter::trace()`.
Differential Revision: https://phabricator.services.mozilla.com/D269750
Diffstat:
1 file changed, 6 insertions(+), 0 deletions(-)
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
@@ -21,6 +21,7 @@
#include "builtin/Object.h"
#include "builtin/WeakMapObject.h"
#include "builtin/WeakSetObject.h"
+#include "gc/GC.h"
#include "jit/BaselineIC.h"
#include "jit/CacheIRCloner.h"
#include "jit/CacheIRCompiler.h"
@@ -2454,6 +2455,11 @@ AttachDecision GetPropIRGenerator::tryAttachInlinableNativeGetter(
Handle<NativeObject*> holder, PropertyInfo prop, ValOperandId receiverId) {
MOZ_ASSERT(mode_ == ICState::Mode::Specialized);
+ // Suppress GC because |CacheIRWriter::trace()| doesn't yet support stub
+ // field tracing and stub fields were already added for shape and prototype
+ // guards.
+ gc::AutoSuppressGC suppressGC(cx_);
+
Rooted<JSFunction*> target(cx_, &holder->getGetter(prop)->as<JSFunction>());
MOZ_ASSERT(target->isNativeWithoutJitEntry());
