diff options
| author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-09-05 13:03:09 +0200 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-09-05 13:19:33 +0200 |
| commit | 2b223cce089bb8cbfb1a463fdd42e09eee63c7b2 (patch) | |
| tree | e3d2025041a0f3a6d9eb870455ca8db324b88729 /js/src/vm/TypeInference.h | |
| parent | d90dd7b0c60e7950b668a08d415c0395c92db535 (diff) | |
| download | UXP-2b223cce089bb8cbfb1a463fdd42e09eee63c7b2.tar UXP-2b223cce089bb8cbfb1a463fdd42e09eee63c7b2.tar.gz UXP-2b223cce089bb8cbfb1a463fdd42e09eee63c7b2.tar.lz UXP-2b223cce089bb8cbfb1a463fdd42e09eee63c7b2.tar.xz UXP-2b223cce089bb8cbfb1a463fdd42e09eee63c7b2.zip | |
Use the correct group for JIT constraints.
This fixes a rare crash/CTD in JS.
This adds information about the constraints to a new RAII class so we
can finish all constraints at the end.
Based on changes in BZ 1568397
Diffstat (limited to 'js/src/vm/TypeInference.h')
| -rw-r--r-- | js/src/vm/TypeInference.h | 59 |
1 files changed, 58 insertions, 1 deletions
diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h index 94ce7e871..fd021fc96 100644 --- a/js/src/vm/TypeInference.h +++ b/js/src/vm/TypeInference.h @@ -789,8 +789,65 @@ class TemporaryTypeSet : public TypeSet TypedArraySharedness* sharedness); }; +// Stack class to record information about constraints that need to be added +// after finishing the Definite Properties Analysis. When the analysis succeeds, +// the |finishConstraints| method must be called to add the constraints to the +// TypeSets. +// +// There are two constraint types managed here: +// +// 1. Proto constraints for HeapTypeSets, to guard against things like getters +// and setters on the proto chain. +// +// 2. Inlining constraints for StackTypeSets, to invalidate when additional +// functions could be called at call sites where we inlined a function. +// +// This class uses bare GC-thing pointers because GC is suppressed when the +// analysis runs. +class MOZ_RAII DPAConstraintInfo { + struct ProtoConstraint { + JSObject* proto; + jsid id; + ProtoConstraint(JSObject* proto, jsid id) : proto(proto), id(id) {} + }; + struct InliningConstraint { + JSScript* caller; + JSScript* callee; + InliningConstraint(JSScript* caller, JSScript* callee) + : caller(caller), callee(callee) {} + }; + + JS::AutoCheckCannotGC nogc_; + Vector<ProtoConstraint, 8> protoConstraints_; + Vector<InliningConstraint, 4> inliningConstraints_; + +public: + explicit DPAConstraintInfo(JSContext* cx) + : nogc_(cx) + , protoConstraints_(cx) + , inliningConstraints_(cx) + { + } + + DPAConstraintInfo(const DPAConstraintInfo&) = delete; + void operator=(const DPAConstraintInfo&) = delete; + + MOZ_MUST_USE bool addProtoConstraint(JSObject* proto, jsid id) { + return protoConstraints_.emplaceBack(proto, id); + } + MOZ_MUST_USE bool addInliningConstraint(JSScript* caller, JSScript* callee) { + return inliningConstraints_.emplaceBack(caller, callee); + } + + MOZ_MUST_USE bool finishConstraints(JSContext* cx, ObjectGroup* group); +}; + bool -AddClearDefiniteGetterSetterForPrototypeChain(JSContext* cx, ObjectGroup* group, HandleId id); +AddClearDefiniteGetterSetterForPrototypeChain(JSContext* cx, + DPAConstraintInfo& constraintInfo, + ObjectGroup* group, + HandleId id, + bool* added); bool AddClearDefiniteFunctionUsesInScript(JSContext* cx, ObjectGroup* group, |