Use canonical function in TypeNewScript::rollbackPartiallyInitializedObjects.

author: wolfbeast <mcwerewolf@gmail.com> 2018-12-13 11:34:00 +0100
committer: wolfbeast <mcwerewolf@gmail.com> 2018-12-13 11:34:00 +0100
commit: 42766ad06f7d37b507a500c8d78002d25fd804f8 (patch)
tree: 1dcebad9b2448090b626239104bc395d4d47d230 /js/src/vm
parent: bc8a25f5e33700f700b1e07b238bef5dae22f1ad (diff)
download: UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar
UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.gz
UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.lz
UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.xz
UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.zip
2 files changed, 13 insertions, 7 deletions
diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
index d6a8fcaa4..1fbf8976b 100644
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -496,12 +496,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
 
             // Canonicalize new functions to use the original one associated with its script.
             JSFunction* fun = &associated->as<JSFunction>();
-            if (fun->hasScript())
-                associated = fun->nonLazyScript()->functionNonDelazifying();
-            else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
-                associated = fun->lazyScript()->functionNonDelazifying();
-            else
-                associated = nullptr;
+            associated = associated->as<JSFunction>().maybeCanonicalFunction();
 
             // If we have previously cleared the 'new' script information for this
             // function, don't try to construct another one.
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index c86345d9c..4775a2dea 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
     MOZ_ASSERT(!group->newScript());
     MOZ_ASSERT(!group->maybeUnboxedLayout());
 
+    // rollbackPartiallyInitializedObjects expects function_ to be
+    // canonicalized.
+    MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
     if (group->unknownProperties())
         return true;
 
@@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
                 oomUnsafe.crash("rollbackPartiallyInitializedObjects");
         }
 
-        if (!iter.isConstructing() || !iter.matchCallee(cx, function))
+        if (!iter.isConstructing()) {
+            continue;
+        }
+
+        MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+        if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
             continue;
+        }
 
         // Derived class constructors initialize their this-binding later and
         // we shouldn't run the definite properties analysis on them.
author	wolfbeast <mcwerewolf@gmail.com>	2018-12-13 11:34:00 +0100
committer	wolfbeast <mcwerewolf@gmail.com>	2018-12-13 11:34:00 +0100
commit	42766ad06f7d37b507a500c8d78002d25fd804f8 (patch)
tree	1dcebad9b2448090b626239104bc395d4d47d230 /js/src/vm
parent	bc8a25f5e33700f700b1e07b238bef5dae22f1ad (diff)
download	UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.gz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.lz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.xz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.zip