The InitialShapeTable uses a Lookup with an optional 'metadata' field, which may be nursery-allocated. If that moves, the entry will become unfindable.

It seems kind of gross to be calling out to jsfriendapi from jscompartment.cpp. Perhaps I should move the DisableGenerational thing somewhere else.

Comment on attachment 819991 [details] [diff] [review] Disable GGC when object metadata is used Review of attachment 819991 [details] [diff] [review]: ----------------------------------------------------------------- r=me ::: js/src/jscompartment.cpp @@ +630,5 @@ > + > + // Turn off GGC to prevent nursery-allocated metadata from being used > + // as a lookup key in InitialShapeTable entries. > + if (callback) > + JS::DisableGenerationalGC(runtime_); I guess it's trivial enough that we should probably also allow full removal of the callback: else JS::EnableGenerationalGC(runtime_); @@ +631,5 @@ > + // Turn off GGC to prevent nursery-allocated metadata from being used > + // as a lookup key in InitialShapeTable entries. > + if (callback) > + JS::DisableGenerationalGC(runtime_); > + objectMetadataCallback = callback; Lets put a line break above the assignment so that this looks like 3 discreet actions.

https://hg.mozilla.org/integration/mozilla-inbound/rev/fa13474d7b16 with followup fix https://hg.mozilla.org/integration/mozilla-inbound/rev/a2622f851534

https://hg.mozilla.org/mozilla-central/rev/fa13474d7b16 https://hg.mozilla.org/mozilla-central/rev/a2622f851534