allstarschh/gist:8a94cef8781feaa3ada7582f586b2219

## gistfile1.txt
commit ada3601ce5366fe1bb7baa50506445bc464cbf1b
Author: Yoshi Cheng-Hao Huang <allstars.chh@gmail.com>
Date:   Thu Dec 13 17:38:31 2018 +0100

    assert read barrier

diff --git a/js/src/gc/Cell.h b/js/src/gc/Cell.h
index 83bae26ab242..0f656cd7b684 100644
--- a/js/src/gc/Cell.h
+++ b/js/src/gc/Cell.h
@@ -353,16 +353,18 @@ bool TenuredCell::isInsideZone(JS::Zone* zone) const {
   MOZ_ASSERT(CurrentThreadCanAccessZone(thing->zoneFromAnyThread()));

   // It would be good if barriers were never triggered during collection, but
   // at the moment this can happen e.g. when rekeying tables containing
   // read-barriered GC things after a moving GC.
   //
   // TODO: Fix this and assert we're not collecting if we're on the active
   // thread.
+  MOZ_ASSERT_IF(CurrentThreadCanAccessRuntime(thing->runtimeFromAnyThread()),
+                !JS::RuntimeHeapIsCollecting());

   JS::shadow::Zone* shadowZone = thing->shadowZoneFromAnyThread();
   if (shadowZone->needsIncrementalBarrier()) {
     // Barriers are only enabled on the main thread and are disabled while
     // collecting.
     MOZ_ASSERT(!RuntimeFromMainThreadIsHeapMajorCollecting(shadowZone));
     Cell* tmp = thing;
     TraceManuallyBarrieredGenericPointerEdge(shadowZone->barrierTracer(), &tmp,
diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
index ca9a38d9efea..a702a1c1adf5 100644
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -2286,22 +2286,22 @@ void Zone::fixupInitialShapeTable() {
     if (IsForwarded(shape)) {
       shape = Forwarded(shape);
       e.mutableFront().shape.set(shape);
     }
     shape->updateBaseShapeAfterMovingGC();

     // If the prototype has moved we have to rekey the entry.
     InitialShapeEntry entry = e.front();
-    if (entry.proto.proto().isObject() &&
-        IsForwarded(entry.proto.proto().toObject())) {
+    if (entry.proto.proto().unbarrieredGet().isObject() &&
+        IsForwarded(entry.proto.proto().unbarrieredGet().toObject())) {
       entry.proto.setProto(
-          TaggedProto(Forwarded(entry.proto.proto().toObject())));
+          TaggedProto(Forwarded(entry.proto.proto().unbarrieredGet().toObject())));
       using Lookup = InitialShapeEntry::Lookup;
-      Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(entry.proto),
+      Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(entry.proto.proto().unbarrieredGet()),
                       shape->numFixedSlots(), shape->getObjectFlags());
       e.rekeyFront(relookup, entry);
     }
   }
 }

 void AutoRooterGetterSetter::Inner::trace(JSTracer* trc) {
   if ((attrs & JSPROP_GETTER) && *pgetter) {
	commit ada3601ce5366fe1bb7baa50506445bc464cbf1b
	Author: Yoshi Cheng-Hao Huang <allstars.chh@gmail.com>
	Date: Thu Dec 13 17:38:31 2018 +0100

	assert read barrier

	diff --git a/js/src/gc/Cell.h b/js/src/gc/Cell.h
	index 83bae26ab242..0f656cd7b684 100644
	--- a/js/src/gc/Cell.h
	+++ b/js/src/gc/Cell.h
	@@ -353,16 +353,18 @@ bool TenuredCell::isInsideZone(JS::Zone* zone) const {
	MOZ_ASSERT(CurrentThreadCanAccessZone(thing->zoneFromAnyThread()));

	// It would be good if barriers were never triggered during collection, but
	// at the moment this can happen e.g. when rekeying tables containing
	// read-barriered GC things after a moving GC.
	//
	// TODO: Fix this and assert we're not collecting if we're on the active
	// thread.
	+ MOZ_ASSERT_IF(CurrentThreadCanAccessRuntime(thing->runtimeFromAnyThread()),
	+ !JS::RuntimeHeapIsCollecting());

	JS::shadow::Zone* shadowZone = thing->shadowZoneFromAnyThread();
	if (shadowZone->needsIncrementalBarrier()) {
	// Barriers are only enabled on the main thread and are disabled while
	// collecting.
	MOZ_ASSERT(!RuntimeFromMainThreadIsHeapMajorCollecting(shadowZone));
	Cell* tmp = thing;
	TraceManuallyBarrieredGenericPointerEdge(shadowZone->barrierTracer(), &tmp,
	diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
	index ca9a38d9efea..a702a1c1adf5 100644
	--- a/js/src/vm/Shape.cpp
	+++ b/js/src/vm/Shape.cpp
	@@ -2286,22 +2286,22 @@ void Zone::fixupInitialShapeTable() {
	if (IsForwarded(shape)) {
	shape = Forwarded(shape);
	e.mutableFront().shape.set(shape);
	}
	shape->updateBaseShapeAfterMovingGC();

	// If the prototype has moved we have to rekey the entry.
	InitialShapeEntry entry = e.front();
	- if (entry.proto.proto().isObject() &&
	- IsForwarded(entry.proto.proto().toObject())) {
	+ if (entry.proto.proto().unbarrieredGet().isObject() &&
	+ IsForwarded(entry.proto.proto().unbarrieredGet().toObject())) {
	entry.proto.setProto(
	- TaggedProto(Forwarded(entry.proto.proto().toObject())));
	+ TaggedProto(Forwarded(entry.proto.proto().unbarrieredGet().toObject())));
	using Lookup = InitialShapeEntry::Lookup;
	- Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(entry.proto),
	+ Lookup relookup(shape->getObjectClass(), Lookup::ShapeProto(entry.proto.proto().unbarrieredGet()),
	shape->numFixedSlots(), shape->getObjectFlags());
	e.rekeyFront(relookup, entry);
	}
	}
	}

	void AutoRooterGetterSetter::Inner::trace(JSTracer* trc) {
	if ((attrs & JSPROP_GETTER) && *pgetter) {