diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-12-13 11:34:00 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-12-13 11:34:00 +0100 |
commit | 42766ad06f7d37b507a500c8d78002d25fd804f8 (patch) | |
tree | 1dcebad9b2448090b626239104bc395d4d47d230 /js/src/vm/TypeInference.cpp | |
parent | bc8a25f5e33700f700b1e07b238bef5dae22f1ad (diff) | |
download | UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.gz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.lz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.tar.xz UXP-42766ad06f7d37b507a500c8d78002d25fd804f8.zip |
Use canonical function in TypeNewScript::rollbackPartiallyInitializedObjects.
Diffstat (limited to 'js/src/vm/TypeInference.cpp')
-rw-r--r-- | js/src/vm/TypeInference.cpp | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp index c86345d9c..4775a2dea 100644 --- a/js/src/vm/TypeInference.cpp +++ b/js/src/vm/TypeInference.cpp @@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun) MOZ_ASSERT(!group->newScript()); MOZ_ASSERT(!group->maybeUnboxedLayout()); + // rollbackPartiallyInitializedObjects expects function_ to be + // canonicalized. + MOZ_ASSERT(fun->maybeCanonicalFunction() == fun); + if (group->unknownProperties()) return true; @@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g oomUnsafe.crash("rollbackPartiallyInitializedObjects"); } - if (!iter.isConstructing() || !iter.matchCallee(cx, function)) + if (!iter.isConstructing()) { + continue; + } + + MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction()); + + if (iter.calleeTemplate()->maybeCanonicalFunction() != function) { continue; + } // Derived class constructors initialize their this-binding later and // we shouldn't run the definite properties analysis on them. |