diff options
-rw-r--r-- | js/src/jit/BaselineIC.cpp | 23 | ||||
-rw-r--r-- | js/src/jit/BaselineIC.h | 2 | ||||
-rw-r--r-- | js/src/jit/IonCaches.cpp | 2 | ||||
-rw-r--r-- | js/src/jsarray.cpp | 16 | ||||
-rw-r--r-- | js/src/jsarray.h | 4 | ||||
-rw-r--r-- | js/src/jsfun.cpp | 2 | ||||
-rw-r--r-- | js/src/jsobj.cpp | 7 | ||||
-rw-r--r-- | js/src/jsobj.h | 2 | ||||
-rw-r--r-- | js/src/jsobjinlines.h | 15 | ||||
-rw-r--r-- | js/src/shell/js.cpp | 4 | ||||
-rw-r--r-- | js/src/vm/ArrayBufferObject.cpp | 2 | ||||
-rw-r--r-- | js/src/vm/Interpreter.cpp | 3 | ||||
-rw-r--r-- | js/src/vm/ObjectGroup.cpp | 5 | ||||
-rw-r--r-- | js/src/vm/TypeInference.cpp | 14 |
14 files changed, 56 insertions, 45 deletions
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp index 2f20ffa4f..506cbf1d2 100644 --- a/js/src/jit/BaselineIC.cpp +++ b/js/src/jit/BaselineIC.cpp @@ -2253,14 +2253,20 @@ DenseOrUnboxedArraySetElemStubExists(JSContext* cx, ICStub::Kind kind, for (ICStubConstIterator iter = stub->beginChainConst(); !iter.atEnd(); iter++) { if (kind == ICStub::SetElem_DenseOrUnboxedArray && iter->isSetElem_DenseOrUnboxedArray()) { ICSetElem_DenseOrUnboxedArray* nstub = iter->toSetElem_DenseOrUnboxedArray(); - if (obj->maybeShape() == nstub->shape() && obj->getGroup(cx) == nstub->group()) + if (obj->maybeShape() == nstub->shape() && + JSObject::getGroup(cx, obj) == nstub->group()) + { return true; + } } if (kind == ICStub::SetElem_DenseOrUnboxedArrayAdd && iter->isSetElem_DenseOrUnboxedArrayAdd()) { ICSetElem_DenseOrUnboxedArrayAdd* nstub = iter->toSetElem_DenseOrUnboxedArrayAdd(); - if (obj->getGroup(cx) == nstub->group() && SetElemAddHasSameShapes(nstub, obj)) + if (JSObject::getGroup(cx, obj) == nstub->group() && + SetElemAddHasSameShapes(nstub, obj)) + { return true; + } } } return false; @@ -2446,7 +2452,7 @@ DoSetElemFallback(JSContext* cx, BaselineFrame* frame, ICSetElem_Fallback* stub_ &addingCase, &protoDepth)) { RootedShape shape(cx, obj->maybeShape()); - RootedObjectGroup group(cx, obj->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj)); if (!group) return false; @@ -4277,7 +4283,7 @@ DoSetPropFallback(JSContext* cx, BaselineFrame* frame, ICSetProp_Fallback* stub_ if (!obj) return false; RootedShape oldShape(cx, obj->maybeShape()); - RootedObjectGroup oldGroup(cx, obj->getGroup(cx)); + RootedObjectGroup oldGroup(cx, JSObject::getGroup(cx, obj)); if (!oldGroup) return false; RootedReceiverGuard oldGuard(cx, ReceiverGuard(obj)); @@ -5175,14 +5181,13 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs& if (native == js::array_slice) { if (args.thisv().isObject()) { - JSObject* obj = &args.thisv().toObject(); + RootedObject obj(cx, &args.thisv().toObject()); if (!obj->isSingleton()) { if (obj->group()->maybePreliminaryObjects()) { *skipAttach = true; return true; } - res.set(NewFullyAllocatedArrayTryReuseGroup(cx, &args.thisv().toObject(), 0, - TenuredObject)); + res.set(NewFullyAllocatedArrayTryReuseGroup(cx, obj, 0, TenuredObject)); return !!res; } } @@ -7961,7 +7966,7 @@ ICUpdatedStub* ICSetElemDenseOrUnboxedArrayAddCompiler::getStubSpecific(ICStubSpace* space, Handle<ShapeVector> shapes) { - RootedObjectGroup group(cx, obj_->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj_)); if (!group) return nullptr; Rooted<JitCode*> stubCode(cx, getStubCode()); @@ -8098,7 +8103,7 @@ ICSetProp_Native::ICSetProp_Native(JitCode* stubCode, ObjectGroup* group, Shape* ICSetProp_Native* ICSetProp_Native::Compiler::getStub(ICStubSpace* space) { - RootedObjectGroup group(cx, obj_->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj_)); if (!group) return nullptr; diff --git a/js/src/jit/BaselineIC.h b/js/src/jit/BaselineIC.h index 98f0e1c59..9941cc93d 100644 --- a/js/src/jit/BaselineIC.h +++ b/js/src/jit/BaselineIC.h @@ -1940,7 +1940,7 @@ class ICSetPropNativeAddCompiler : public ICStubCompiler template <size_t ProtoChainDepth> ICUpdatedStub* getStubSpecific(ICStubSpace* space, Handle<ShapeVector> shapes) { - RootedObjectGroup newGroup(cx, obj_->getGroup(cx)); + RootedObjectGroup newGroup(cx, JSObject::getGroup(cx, obj_)); if (!newGroup) return nullptr; diff --git a/js/src/jit/IonCaches.cpp b/js/src/jit/IonCaches.cpp index 9901bdd07..48e0792bb 100644 --- a/js/src/jit/IonCaches.cpp +++ b/js/src/jit/IonCaches.cpp @@ -3316,7 +3316,7 @@ SetPropertyIC::update(JSContext* cx, HandleScript outerScript, size_t cacheIndex RootedObjectGroup oldGroup(cx); RootedShape oldShape(cx); if (cache.canAttachStub()) { - oldGroup = obj->getGroup(cx); + oldGroup = JSObject::getGroup(cx, obj); if (!oldGroup) return false; diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp index d28f5cb8e..c1a6dcfab 100644 --- a/js/src/jsarray.cpp +++ b/js/src/jsarray.cpp @@ -602,7 +602,7 @@ js::ArraySetLength(JSContext* cx, Handle<ArrayObject*> arr, HandleId id, // for..in iteration over the array. Keys deleted before being reached // during the iteration must not be visited, and suppressing them here // would be too costly. - ObjectGroup* arrGroup = arr->getGroup(cx); + ObjectGroup* arrGroup = JSObject::getGroup(cx, arr); if (MOZ_UNLIKELY(!arrGroup)) return false; if (!arr->isIndexed() && !MOZ_UNLIKELY(arrGroup->hasAllFlags(OBJECT_FLAG_ITERATED))) { @@ -1285,7 +1285,7 @@ InitArrayElements(JSContext* cx, HandleObject obj, uint32_t start, if (count == 0) return true; - ObjectGroup* group = obj->getGroup(cx); + ObjectGroup* group = JSObject::getGroup(cx, obj); if (!group) return false; @@ -2144,7 +2144,7 @@ ArrayShiftDenseKernel(JSContext* cx, HandleObject obj, MutableHandleValue rval) if (ObjectMayHaveExtraIndexedProperties(obj)) return DenseElementResult::Incomplete; - RootedObjectGroup group(cx, obj->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj)); if (MOZ_UNLIKELY(!group)) return DenseElementResult::Failure; @@ -2340,7 +2340,7 @@ CanOptimizeForDenseStorage(HandleObject arr, uint32_t startingIndex, uint32_t co * deleted if a hole is moved from one location to another location not yet * visited. See bug 690622. */ - ObjectGroup* arrGroup = arr->getGroup(cx); + ObjectGroup* arrGroup = JSObject::getGroup(cx, arr); if (!arrGroup) { cx->recoverFromOutOfMemory(); return false; @@ -3586,7 +3586,7 @@ js::NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup g // will have unknown property types. template <uint32_t maxLength> static inline ArrayObject* -NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, +NewArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length, NewObjectKind newKind = GenericObject) { if (!obj->is<ArrayObject>()) @@ -3595,7 +3595,7 @@ NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, if (obj->staticPrototype() != cx->global()->maybeGetArrayPrototype()) return NewArray<maxLength>(cx, length, nullptr, newKind); - RootedObjectGroup group(cx, obj->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, obj)); if (!group) return nullptr; @@ -3603,14 +3603,14 @@ NewArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, } ArrayObject* -js::NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, +js::NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length, NewObjectKind newKind) { return NewArrayTryReuseGroup<UINT32_MAX>(cx, obj, length, newKind); } ArrayObject* -js::NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length) +js::NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length) { return NewArrayTryReuseGroup<ArrayObject::EagerAllocationMaxLength>(cx, obj, length); } diff --git a/js/src/jsarray.h b/js/src/jsarray.h index ec2e4f514..00b475a8e 100644 --- a/js/src/jsarray.h +++ b/js/src/jsarray.h @@ -83,11 +83,11 @@ extern ArrayObject* NewPartlyAllocatedArrayTryUseGroup(ExclusiveContext* cx, HandleObjectGroup group, size_t length); extern ArrayObject* -NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length, +NewFullyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length, NewObjectKind newKind = GenericObject); extern ArrayObject* -NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, JSObject* obj, size_t length); +NewPartlyAllocatedArrayTryReuseGroup(JSContext* cx, HandleObject obj, size_t length); extern ArrayObject* NewFullyAllocatedArrayForCallingAllocationSite(JSContext* cx, size_t length, diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp index f032b822f..5a253217b 100644 --- a/js/src/jsfun.cpp +++ b/js/src/jsfun.cpp @@ -826,7 +826,7 @@ CreateFunctionPrototype(JSContext* cx, JSProtoKey key) return nullptr; functionProto->initScript(script); - ObjectGroup* protoGroup = functionProto->getGroup(cx); + ObjectGroup* protoGroup = JSObject::getGroup(cx, functionProto); if (!protoGroup) return nullptr; diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp index afaf24abd..0c7c9bc32 100644 --- a/js/src/jsobj.cpp +++ b/js/src/jsobj.cpp @@ -1489,9 +1489,9 @@ JSObject::swap(JSContext* cx, HandleObject a, HandleObject b) AutoCompartment ac(cx, a); - if (!a->getGroup(cx)) + if (!JSObject::getGroup(cx, a)) oomUnsafe.crash("JSObject::swap"); - if (!b->getGroup(cx)) + if (!JSObject::getGroup(cx, b)) oomUnsafe.crash("JSObject::swap"); /* @@ -3852,7 +3852,8 @@ displayAtomFromObjectGroup(ObjectGroup& group) bool JSObject::constructorDisplayAtom(JSContext* cx, js::MutableHandleAtom name) { - ObjectGroup *g = getGroup(cx); + RootedObject self(cx, this); // Temporary change. + ObjectGroup *g = JSObject::getGroup(cx, self); if (!g) return false; diff --git a/js/src/jsobj.h b/js/src/jsobj.h index af79131af..aa4070556 100644 --- a/js/src/jsobj.h +++ b/js/src/jsobj.h @@ -348,7 +348,7 @@ class JSObject : public js::gc::Cell // Change an existing object to have a singleton group. static bool changeToSingleton(JSContext* cx, js::HandleObject obj); - inline js::ObjectGroup* getGroup(JSContext* cx); + static inline js::ObjectGroup* getGroup(JSContext* cx, js::HandleObject obj); const js::GCPtrObjectGroup& groupFromGC() const { /* Direct field access for use by GC. */ diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h index 7028310ce..c132ee6b2 100644 --- a/js/src/jsobjinlines.h +++ b/js/src/jsobjinlines.h @@ -117,17 +117,16 @@ JSObject::setSingleton(js::ExclusiveContext* cx, js::HandleObject obj) return true; } -inline js::ObjectGroup* -JSObject::getGroup(JSContext* cx) +/* static */ inline js::ObjectGroup* +JSObject::getGroup(JSContext* cx, js::HandleObject obj) { - MOZ_ASSERT(cx->compartment() == compartment()); - if (hasLazyGroup()) { - JS::RootedObject self(cx, this); - if (cx->compartment() != compartment()) + MOZ_ASSERT(cx->compartment() == obj->compartment()); + if (obj->hasLazyGroup()) { + if (cx->compartment() != obj->compartment()) MOZ_CRASH(); - return makeLazyGroup(cx, self); + return makeLazyGroup(cx, obj); } - return group_; + return obj->group_; } inline void diff --git a/js/src/shell/js.cpp b/js/src/shell/js.cpp index f8b10285a..19bb6b84a 100644 --- a/js/src/shell/js.cpp +++ b/js/src/shell/js.cpp @@ -3488,8 +3488,8 @@ GroupOf(JSContext* cx, unsigned argc, JS::Value* vp) JS_ReportErrorASCII(cx, "groupOf: object expected"); return false; } - JSObject* obj = &args[0].toObject(); - ObjectGroup* group = obj->getGroup(cx); + RootedObject obj(cx, &args[0].toObject()); + ObjectGroup* group = JSObject::getGroup(cx, obj); if (!group) return false; args.rval().set(JS_NumberValue(double(uintptr_t(group) >> 3))); diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp index 1053fa99d..2c5e2dd25 100644 --- a/js/src/vm/ArrayBufferObject.cpp +++ b/js/src/vm/ArrayBufferObject.cpp @@ -344,7 +344,7 @@ ArrayBufferObject::detach(JSContext* cx, Handle<ArrayBufferObject*> buffer, // Make sure the global object's group has been instantiated, so the // flag change will be observed. AutoEnterOOMUnsafeRegion oomUnsafe; - if (!cx->global()->getGroup(cx)) + if (!JSObject::getGroup(cx, cx->global())) oomUnsafe.crash("ArrayBufferObject::detach"); MarkObjectGroupFlags(cx, cx->global(), OBJECT_FLAG_TYPED_OBJECT_HAS_DETACHED_BUFFER); cx->compartment()->detachedTypedObjects = 1; diff --git a/js/src/vm/Interpreter.cpp b/js/src/vm/Interpreter.cpp index 35ab2ff26..77637aab8 100644 --- a/js/src/vm/Interpreter.cpp +++ b/js/src/vm/Interpreter.cpp @@ -4725,7 +4725,8 @@ js::RunOnceScriptPrologue(JSContext* cx, HandleScript script) // Force instantiation of the script's function's group to ensure the flag // is preserved in type information. - if (!script->functionNonDelazifying()->getGroup(cx)) + RootedFunction fun(cx, script->functionNonDelazifying()); + if (!JSObject::getGroup(cx, fun)) return false; MarkObjectGroupFlags(cx, script->functionNonDelazifying(), OBJECT_FLAG_RUNONCE_INVALIDATED); diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp index f3e748a1d..6e9000894 100644 --- a/js/src/vm/ObjectGroup.cpp +++ b/js/src/vm/ObjectGroup.cpp @@ -283,12 +283,13 @@ JSObject::splicePrototype(JSContext* cx, const Class* clasp, Handle<TaggedProto> return false; // Force type instantiation when splicing lazy group. - RootedObjectGroup group(cx, self->getGroup(cx)); + RootedObjectGroup group(cx, JSObject::getGroup(cx, self)); if (!group) return false; RootedObjectGroup protoGroup(cx, nullptr); if (proto.isObject()) { - protoGroup = proto.toObject()->getGroup(cx); + RootedObject protoObj(cx, proto.toObject()); + protoGroup = JSObject::getGroup(cx, protoObj); if (!protoGroup) return false; } diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp index 63daec36e..60d9e183a 100644 --- a/js/src/vm/TypeInference.cpp +++ b/js/src/vm/TypeInference.cpp @@ -1319,7 +1319,8 @@ js::EnsureTrackPropertyTypes(JSContext* cx, JSObject* obj, jsid id) AutoEnterAnalysis enter(cx); if (obj->hasLazyGroup()) { AutoEnterOOMUnsafeRegion oomUnsafe; - if (!obj->getGroup(cx)) { + RootedObject objRoot(cx, obj); + if (!JSObject::getGroup(cx, objRoot)) { oomUnsafe.crash("Could not allocate ObjectGroup in EnsureTrackPropertyTypes"); return; } @@ -1338,9 +1339,12 @@ HeapTypeSetKey::instantiate(JSContext* cx) { if (maybeTypes()) return true; - if (object()->isSingleton() && !object()->singleton()->getGroup(cx)) { - cx->clearPendingException(); - return false; + if (object()->isSingleton()) { + RootedObject obj(cx, object()->singleton()); + if (!JSObject::getGroup(cx, obj)) { + cx->clearPendingException(); + return false; + } } JSObject* obj = object()->isSingleton() ? object()->singleton() : nullptr; maybeTypes_ = object()->maybeGroup()->getProperty(cx, obj, id()); @@ -3088,7 +3092,7 @@ js::AddClearDefiniteGetterSetterForPrototypeChain(JSContext* cx, ObjectGroup* gr */ RootedObject proto(cx, group->proto().toObjectOrNull()); while (proto) { - ObjectGroup* protoGroup = proto->getGroup(cx); + ObjectGroup* protoGroup = JSObject::getGroup(cx, proto); if (!protoGroup) { cx->recoverFromOutOfMemory(); return false; |