Bug 1203790 - Trigger a pre barrier when shrinking the initialized length of unboxed arrays, r=jandem.

js/src/jit-test/tests/basic/bug1203790.js

@@ -0,0 +1,10 @@
+gczeal(14);
+verifyprebarriers();
+x = [];
+Array.prototype.push.call(x, new Uint8Array());
+Array.prototype.some.call(x, function() {
+    try {
+        y.toString();
+    } catch (e) {}
+});
+Array.prototype.shift.call(x);

js/src/vm/UnboxedObject-inl.h

@@ -192,6 +192,28 @@ UnboxedArrayObject::setLength(ExclusiveContext* cx, uint32_t length)
     length_ = length;
 }
 
+inline void
+UnboxedArrayObject::setInitializedLength(uint32_t initlen)
+{
+    MOZ_ASSERT(initlen <= InitializedLengthMask);
+    if (initlen < initializedLength()) {
+        switch (elementType()) {
+          case JSVAL_TYPE_STRING:
+            for (size_t i = initlen; i < initializedLength(); i++)
+                triggerPreBarrier<JSVAL_TYPE_STRING>(i);
+            break;
+          case JSVAL_TYPE_OBJECT:
+            for (size_t i = initlen; i < initializedLength(); i++)
+                triggerPreBarrier<JSVAL_TYPE_OBJECT>(i);
+            break;
+          default:
+            MOZ_ASSERT(!UnboxedTypeNeedsPreBarrier(elementType()));
+        }
+    }
+    capacityIndexAndInitializedLength_ =
+        (capacityIndexAndInitializedLength_ & CapacityMask) | initlen;
+}
+
 template <JSValueType Type>
 inline bool
 UnboxedArrayObject::setElementSpecific(ExclusiveContext* cx, size_t index, const Value& v)

js/src/vm/UnboxedObject.h

@@ -497,12 +497,7 @@ class UnboxedArrayObject : public JSObject
     }
 
     inline void setLength(ExclusiveContext* cx, uint32_t len);
-
+    inline void setInitializedLength(uint32_t initlen);
-    void setInitializedLength(uint32_t initlen) {
-        MOZ_ASSERT(initlen <= InitializedLengthMask);
-        capacityIndexAndInitializedLength_ =
-            (capacityIndexAndInitializedLength_ & CapacityMask) | initlen;
-    }
 
   private:
     void setInlineElements() {