1 files changed, 32 insertions, 8 deletions

diff --git a/js/src/jit/WarpOracle.cpp b/js/src/jit/WarpOracle.cpp
index 624ebfcedf..d0c6d30d8c 100644
--- a/js/src/jit/WarpOracle.cpp
+++ b/js/src/jit/WarpOracle.cpp
@@ -510,6 +510,11 @@ AbortReasonOr<WarpScriptSnapshot*> WarpScriptOracle::createScriptSnapshot() {
         break;
       }
 
+      case JSOp::String:
+        if (!loc.atomizeString(cx_, script_)) {
+          return abort(AbortReason::Alloc);
+        }
+        break;
       case JSOp::GetName:
       case JSOp::GetGName:
       case JSOp::GetProp:
@@ -578,6 +583,7 @@ AbortReasonOr<WarpScriptSnapshot*> WarpScriptOracle::createScriptSnapshot() {
       case JSOp::OptimizeSpreadCall:
       case JSOp::Typeof:
       case JSOp::TypeofExpr:
+      case JSOp::TypeofEq:
       case JSOp::NewObject:
       case JSOp::NewInit:
       case JSOp::NewArray:
@@ -613,7 +619,6 @@ AbortReasonOr<WarpScriptSnapshot*> WarpScriptOracle::createScriptSnapshot() {
       case JSOp::Int32:
       case JSOp::Double:
       case JSOp::BigInt:
-      case JSOp::String:
       case JSOp::Symbol:
       case JSOp::Pop:
       case JSOp::PopN:
@@ -1209,6 +1214,10 @@ bool WarpScriptOracle::replaceNurseryAndAllocSitePointers(
   // If the stub data contains weak pointers then trigger a read barrier. This
   // is necessary as these will now be strong references in the snapshot.
   //
+  // If the stub data contains strings then atomize them. This ensures we don't
+  // try to access potentially unstable characters from a background thread and
+  // also facilitates certain optimizations.
+  //
   // Also asserts non-object fields don't contain nursery pointers.
 
   uint32_t field = 0;
@@ -1270,11 +1279,17 @@ bool WarpScriptOracle::replaceNurseryAndAllocSitePointers(
         break;
       }
       case StubField::Type::String: {
-#ifdef DEBUG
-        JSString* str =
-            stubInfo->getStubField<StubField::Type::String>(stub, offset);
+        uintptr_t oldWord = stubInfo->getStubRawWord(stub, offset);
+        JSString* str = reinterpret_cast<JSString*>(oldWord);
         MOZ_ASSERT(!IsInsideNursery(str));
-#endif
+        JSAtom* atom = AtomizeString(cx_, str);
+        if (!atom) {
+          return false;
+        }
+        if (atom != str) {
+          uintptr_t newWord = reinterpret_cast<uintptr_t>(atom);
+          stubInfo->replaceStubRawWord(stubDataCopy, offset, oldWord, newWord);
+        }
         break;
       }
       case StubField::Type::Id: {
@@ -1287,10 +1302,19 @@ bool WarpScriptOracle::replaceNurseryAndAllocSitePointers(
         break;
       }
       case StubField::Type::Value: {
-#ifdef DEBUG
-        Value v = stubInfo->getStubField<StubField::Type::Value>(stub, offset);
+        Value v =
+            stubInfo->getStubField<StubField::Type::Value>(stub, offset).get();
         MOZ_ASSERT_IF(v.isGCThing(), !IsInsideNursery(v.toGCThing()));
-#endif
+        if (v.isString()) {
+          Value newVal;
+          JSAtom* atom = AtomizeString(cx_, v.toString());
+          if (!atom) {
+            return false;
+          }
+          newVal.setString(atom);
+          stubInfo->replaceStubRawValueBits(stubDataCopy, offset, v.asRawBits(),
+                                            newVal.asRawBits());
+        }
         break;
       }
       case StubField::Type::AllocSite: {