Backed out changeset 8038f0b90bbd (bug 1866518) for causing SM bustages on bug1866518-nursery-AB.js CLOSED TREE

2023-12-03 20:44:01 +02:00 · 2023-12-03 20:44:01 +02:00 · 116a776274
commit 116a776274
parent 9eb1000917
2 changed files with 1 additions and 21 deletions
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@ -112,15 +112,7 @@ class Nursery {
  MOZ_ALWAYS_INLINE bool isInside(gc::Cell* cellp) const = delete;
  MOZ_ALWAYS_INLINE bool isInside(const void* p) const {
    for (auto* chunk : chunks_) {
-      // The first sizeof(ChunkBase) bytes of the nursery is never used for
-      // data, which means that a pointer to the beginning of the nursery should
-      // be considered as a zero-length pointer to the end of the memory just
-      // before the chunk (as otherwise it would be ambiguous).
-      //
-      // It would be best to use chunk->start(), but that would require dragging
-      // a huge amount of stuff into *-inl.h files.
-      uintptr_t chunkStart = uintptr_t(chunk) + sizeof(gc::ChunkBase);
-      if (uintptr_t(p) - chunkStart <= gc::ChunkSize) {
+      if (uintptr_t(p) - uintptr_t(chunk) < gc::ChunkSize) {
        return true;
      }
    }
--- a/js/src/jit-test/tests/typedarray/bug1866518-nursery-AB.js
+++ b/js/src/jit-test/tests/typedarray/bug1866518-nursery-AB.js
@ -1,12 +0,0 @@
-// 9373 iterations were enough to trigger the crash, which requires
-// allocating an empty ArrayBuffer in the last Cell of a Chunk that
-// comes just before a NurseryChunk.
-//
-// 15000 iterations ran in 1 second on my machine.
-
-evalInWorker(`
-  gczeal(14);
-  a = [];
-  for (let b = 0; b < 15000; b++)
-    a.push(new ArrayBuffer);
-`);