summaryrefslogtreecommitdiffstats
path: root/js/src
diff options
context:
space:
mode:
Diffstat (limited to 'js/src')
-rw-r--r--js/src/gc/Nursery.cpp1
-rw-r--r--js/src/gc/Nursery.h1
-rw-r--r--js/src/jit/AliasAnalysisShared.cpp3
-rw-r--r--js/src/jit/IonAnalysis.cpp21
-rw-r--r--js/src/jit/JitOptions.cpp2
-rw-r--r--js/src/jit/MIR.h7
-rw-r--r--js/src/jit/StupidAllocator.cpp1
-rw-r--r--js/src/jsapi.cpp3
-rw-r--r--js/src/jsapi.h25
-rw-r--r--js/src/jsfun.cpp58
-rw-r--r--js/src/vm/ObjectGroup.cpp1
11 files changed, 52 insertions, 71 deletions
diff --git a/js/src/gc/Nursery.cpp b/js/src/gc/Nursery.cpp
index ea4350fb8..93a0eb6a8 100644
--- a/js/src/gc/Nursery.cpp
+++ b/js/src/gc/Nursery.cpp
@@ -210,6 +210,7 @@ js::Nursery::disable()
return;
updateNumChunks(0);
currentEnd_ = 0;
+ position_ = 0;
runtime()->gc.storeBuffer.disable();
}
diff --git a/js/src/gc/Nursery.h b/js/src/gc/Nursery.h
index 0d215d997..a839a4979 100644
--- a/js/src/gc/Nursery.h
+++ b/js/src/gc/Nursery.h
@@ -245,6 +245,7 @@ class Nursery
// Free space remaining, not counting chunk trailers.
MOZ_ALWAYS_INLINE size_t freeSpace() const {
+ MOZ_ASSERT(isEnabled());
MOZ_ASSERT(currentEnd_ - position_ <= NurseryChunkUsableSize);
return (currentEnd_ - position_) +
(numChunks() - currentChunk_ - 1) * NurseryChunkUsableSize;
diff --git a/js/src/jit/AliasAnalysisShared.cpp b/js/src/jit/AliasAnalysisShared.cpp
index ae28327ca..81c0fd067 100644
--- a/js/src/jit/AliasAnalysisShared.cpp
+++ b/js/src/jit/AliasAnalysisShared.cpp
@@ -102,7 +102,6 @@ GetObject(const MDefinition* ins)
case MDefinition::Op_SetDisjointTypedElements:
case MDefinition::Op_ArrayPopShift:
case MDefinition::Op_ArrayPush:
- case MDefinition::Op_ArraySlice:
case MDefinition::Op_LoadTypedArrayElementHole:
case MDefinition::Op_StoreTypedArrayElementHole:
case MDefinition::Op_LoadFixedSlot:
@@ -126,6 +125,7 @@ GetObject(const MDefinition* ins)
object = ins->getOperand(0);
break;
case MDefinition::Op_GetPropertyCache:
+ case MDefinition::Op_CallGetProperty:
case MDefinition::Op_LoadTypedArrayElementStatic:
case MDefinition::Op_StoreTypedArrayElementStatic:
case MDefinition::Op_GetDOMProperty:
@@ -148,6 +148,7 @@ GetObject(const MDefinition* ins)
case MDefinition::Op_WasmLoadGlobalVar:
case MDefinition::Op_WasmStoreGlobalVar:
case MDefinition::Op_ArrayJoin:
+ case MDefinition::Op_ArraySlice:
return nullptr;
default:
#ifdef DEBUG
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index b163d5818..d255c32a8 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -3127,6 +3127,15 @@ ExtractMathSpace(MDefinition* ins)
MOZ_MAKE_COMPILER_ASSUME_IS_UNREACHABLE("Unknown TruncateKind");
}
+static bool MonotoneAdd(int32_t lhs, int32_t rhs) {
+ return (lhs >= 0 && rhs >= 0) || (lhs <= 0 && rhs <= 0);
+}
+
+static bool MonotoneSub(int32_t lhs, int32_t rhs) {
+ return (lhs >= 0 && rhs <= 0) || (lhs <= 0 && rhs >= 0);
+}
+
+
// Extract a linear sum from ins, if possible (otherwise giving the sum 'ins + 0').
SimpleLinearSum
jit::ExtractLinearSum(MDefinition* ins, MathSpace space)
@@ -3168,10 +3177,12 @@ jit::ExtractLinearSum(MDefinition* ins, MathSpace space)
// Check if this is of the form <SUM> + n or n + <SUM>.
if (ins->isAdd()) {
int32_t constant;
- if (space == MathSpace::Modulo)
+ if (space == MathSpace::Modulo) {
constant = lsum.constant + rsum.constant;
- else if (!SafeAdd(lsum.constant, rsum.constant, &constant))
+ } else if (!SafeAdd(lsum.constant, rsum.constant, &constant) ||
+ !MonotoneAdd(lsum.constant, rsum.constant)) {
return SimpleLinearSum(ins, 0);
+ }
return SimpleLinearSum(lsum.term ? lsum.term : rsum.term, constant);
}
@@ -3179,10 +3190,12 @@ jit::ExtractLinearSum(MDefinition* ins, MathSpace space)
// Check if this is of the form <SUM> - n.
if (lsum.term) {
int32_t constant;
- if (space == MathSpace::Modulo)
+ if (space == MathSpace::Modulo) {
constant = lsum.constant - rsum.constant;
- else if (!SafeSub(lsum.constant, rsum.constant, &constant))
+ } else if (!SafeSub(lsum.constant, rsum.constant, &constant) ||
+ !MonotoneSub(lsum.constant, rsum.constant)) {
return SimpleLinearSum(ins, 0);
+ }
return SimpleLinearSum(lsum.term, constant);
}
diff --git a/js/src/jit/JitOptions.cpp b/js/src/jit/JitOptions.cpp
index eb5a6c1c2..b9a7c7b27 100644
--- a/js/src/jit/JitOptions.cpp
+++ b/js/src/jit/JitOptions.cpp
@@ -222,7 +222,7 @@ DefaultJitOptions::DefaultJitOptions()
}
// Toggles whether unboxed plain objects can be created by the VM.
- SET_DEFAULT(disableUnboxedObjects, false);
+ SET_DEFAULT(disableUnboxedObjects, true);
// Test whether Atomics are allowed in asm.js code.
SET_DEFAULT(asmJSAtomicsEnable, false);
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index b2e84322f..fb0f22fc3 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -9910,10 +9910,6 @@ class MArraySlice
return unboxedType_;
}
- AliasSet getAliasSet() const override {
- return AliasSet::Store(AliasSet::BoxedOrUnboxedElements(unboxedType()) |
- AliasSet::ObjectFields);
- }
bool possiblyCalls() const override {
return true;
}
@@ -11837,7 +11833,8 @@ class MCallGetProperty
AliasSet getAliasSet() const override {
if (!idempotent_)
return AliasSet::Store(AliasSet::Any);
- return AliasSet::None();
+ return AliasSet::Load(AliasSet::ObjectFields | AliasSet::FixedSlot |
+ AliasSet::DynamicSlot);
}
bool possiblyCalls() const override {
return true;
diff --git a/js/src/jit/StupidAllocator.cpp b/js/src/jit/StupidAllocator.cpp
index 8e3ea6286..55431e8e0 100644
--- a/js/src/jit/StupidAllocator.cpp
+++ b/js/src/jit/StupidAllocator.cpp
@@ -407,7 +407,6 @@ StupidAllocator::allocateForDefinition(LInstruction* ins, LDefinition* def)
{
uint32_t vreg = def->virtualRegister();
- CodePosition from;
if ((def->output()->isRegister() && def->policy() == LDefinition::FIXED) ||
def->policy() == LDefinition::MUST_REUSE_INPUT)
{
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
index 37d023bd4..6114b8157 100644
--- a/js/src/jsapi.cpp
+++ b/js/src/jsapi.cpp
@@ -6410,6 +6410,9 @@ JS_SetGlobalJitCompilerOption(JSContext* cx, JSJitCompilerOption opt, uint32_t v
}
jit::JitOptions.jumpThreshold = value;
break;
+ case JSJITCOMPILER_UNBOXED_OBJECTS:
+ jit::JitOptions.disableUnboxedObjects = !value;
+ break;
case JSJITCOMPILER_ASMJS_ATOMICS_ENABLE:
jit::JitOptions.asmJSAtomicsEnable = !!value;
break;
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
index 005d2278e..1f726f2e5 100644
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -5783,19 +5783,20 @@ JS_SetParallelParsingEnabled(JSContext* cx, bool enabled);
extern JS_PUBLIC_API(void)
JS_SetOffthreadIonCompilationEnabled(JSContext* cx, bool enabled);
-#define JIT_COMPILER_OPTIONS(Register) \
- Register(BASELINE_WARMUP_TRIGGER, "baseline.warmup.trigger") \
- Register(ION_WARMUP_TRIGGER, "ion.warmup.trigger") \
- Register(ION_GVN_ENABLE, "ion.gvn.enable") \
- Register(ION_FORCE_IC, "ion.forceinlineCaches") \
- Register(ION_ENABLE, "ion.enable") \
+#define JIT_COMPILER_OPTIONS(Register) \
+ Register(BASELINE_WARMUP_TRIGGER, "baseline.warmup.trigger") \
+ Register(ION_WARMUP_TRIGGER, "ion.warmup.trigger") \
+ Register(ION_GVN_ENABLE, "ion.gvn.enable") \
+ Register(ION_FORCE_IC, "ion.forceinlineCaches") \
+ Register(ION_ENABLE, "ion.enable") \
Register(ION_INTERRUPT_WITHOUT_SIGNAL, "ion.interrupt-without-signals") \
- Register(ION_CHECK_RANGE_ANALYSIS, "ion.check-range-analysis") \
- Register(BASELINE_ENABLE, "baseline.enable") \
- Register(OFFTHREAD_COMPILATION_ENABLE, "offthread-compilation.enable") \
- Register(JUMP_THRESHOLD, "jump-threshold") \
- Register(ASMJS_ATOMICS_ENABLE, "asmjs.atomics.enable") \
- Register(WASM_TEST_MODE, "wasm.test-mode") \
+ Register(ION_CHECK_RANGE_ANALYSIS, "ion.check-range-analysis") \
+ Register(BASELINE_ENABLE, "baseline.enable") \
+ Register(OFFTHREAD_COMPILATION_ENABLE, "offthread-compilation.enable") \
+ Register(JUMP_THRESHOLD, "jump-threshold") \
+ Register(UNBOXED_OBJECTS, "unboxed_objects") \
+ Register(ASMJS_ATOMICS_ENABLE, "asmjs.atomics.enable") \
+ Register(WASM_TEST_MODE, "wasm.test-mode") \
Register(WASM_FOLD_OFFSETS, "wasm.fold-offsets")
typedef enum JSJitCompilerOption {
diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp
index 863871df9..98311be2f 100644
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -288,6 +288,12 @@ CallerGetterImpl(JSContext* cx, const CallArgs& args)
return true;
}
+ if (JS_IsDeadWrapper(callerObj)) {
+ JS_ReportErrorNumberASCII(cx, GetErrorMessage, nullptr,
+ JSMSG_DEAD_OBJECT);
+ return false;
+ }
+
JSFunction* callerFun = &callerObj->as<JSFunction>();
MOZ_ASSERT(!callerFun->isBuiltin(), "non-builtin iterator returned a builtin?");
@@ -314,54 +320,14 @@ CallerSetterImpl(JSContext* cx, const CallArgs& args)
{
MOZ_ASSERT(IsFunction(args.thisv()));
- // Beware! This function can be invoked on *any* function! It can't
- // assume it'll never be invoked on natives, strict mode functions, bound
- // functions, or anything else that ordinarily has immutable .caller
- // defined with [[ThrowTypeError]].
- RootedFunction fun(cx, &args.thisv().toObject().as<JSFunction>());
- if (!CallerRestrictions(cx, fun))
- return false;
-
- // Return |undefined| unless an error must be thrown.
- args.rval().setUndefined();
-
- // We can almost just return |undefined| here -- but if the caller function
- // was strict mode code, we still have to throw a TypeError. This requires
- // computing the caller, checking that no security boundaries are crossed,
- // and throwing a TypeError if the resulting caller is strict.
-
- NonBuiltinScriptFrameIter iter(cx);
- if (!AdvanceToActiveCallLinear(cx, iter, fun))
- return true;
-
- ++iter;
- while (!iter.done() && iter.isEvalFrame())
- ++iter;
-
- if (iter.done() || !iter.isFunctionFrame())
- return true;
-
- RootedObject caller(cx, iter.callee(cx));
- if (!cx->compartment()->wrap(cx, &caller)) {
- cx->clearPendingException();
- return true;
- }
-
- // If we don't have full access to the caller, or the caller is not strict,
- // return undefined. Otherwise throw a TypeError.
- JSObject* callerObj = CheckedUnwrap(caller);
- if (!callerObj)
- return true;
-
- JSFunction* callerFun = &callerObj->as<JSFunction>();
- MOZ_ASSERT(!callerFun->isBuiltin(), "non-builtin iterator returned a builtin?");
-
- if (callerFun->strict()) {
- JS_ReportErrorFlagsAndNumberASCII(cx, JSREPORT_ERROR, GetErrorMessage, nullptr,
- JSMSG_CALLER_IS_STRICT);
- return false;
+ // We just have to return |undefined|, but first we call CallerGetterImpl
+ // because we need the same strict-mode and security checks.
+
+ if (!CallerGetterImpl(cx, args)) {
+ return false;
}
+ args.rval().setUndefined();
return true;
}
diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
index 1fbf8976b..46159a972 100644
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -495,7 +495,6 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
if (associated->is<JSFunction>()) {
// Canonicalize new functions to use the original one associated with its script.
- JSFunction* fun = &associated->as<JSFunction>();
associated = associated->as<JSFunction>().maybeCanonicalFunction();
// If we have previously cleared the 'new' script information for this