#534: M1505181 M1506640

This commit is contained in:
Cameron Kaiser 2018-11-26 06:43:31 -08:00
parent de66c97dac
commit 5fc65abade
4 changed files with 28 additions and 8 deletions

View File

@ -425,6 +425,19 @@ class JSFunction : public js::NativeObject
return nonLazyScript();
}
// If this is a scripted function, returns its canonical function (the
// original function allocated by the frontend). Note that lazy self-hosted
// builtins don't have a lazy script so in that case we also return nullptr.
JSFunction* maybeCanonicalFunction() const {
if (hasScript()) {
return nonLazyScript()->functionNonDelazifying();
}
if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
return lazyScript()->functionNonDelazifying();
}
return nullptr;
}
// The state of a JSFunction whose script errored out during bytecode
// compilation. Such JSFunctions are only reachable via GC iteration and
// not from script.

View File

@ -6172,6 +6172,8 @@ GCRuntime::incrementalCollectSlice(SliceBudget& budget, JS::gcreason::Reason rea
/* fall through */
case SWEEP:
AutoGCRooter::traceAllWrappers(&marker);
if (sweepPhase(budget) == NotFinished)
break;

View File

@ -484,13 +484,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
if (associated->is<JSFunction>()) {
// Canonicalize new functions to use the original one associated with its script.
JSFunction* fun = &associated->as<JSFunction>();
if (fun->hasScript())
associated = fun->nonLazyScript()->functionNonDelazifying();
else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
associated = fun->lazyScript()->functionNonDelazifying();
else
associated = nullptr;
associated = associated->as<JSFunction>().maybeCanonicalFunction();
// If we have previously cleared the 'new' script information for this
// function, don't try to construct another one.

View File

@ -3526,6 +3526,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
MOZ_ASSERT(!group->newScript());
MOZ_ASSERT(!group->maybeUnboxedLayout());
// rollbackPartiallyInitializedObjects expects function_ to be
// canonicalized.
MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
if (group->unknownProperties())
return true;
@ -3883,8 +3887,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
oomUnsafe.crash("rollbackPartiallyInitializedObjects");
}
if (!iter.isConstructing() || !iter.matchCallee(cx, function))
if (!iter.isConstructing()) {
continue;
}
MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
continue;
}
// Derived class constructors initialize their this-binding later and
// we shouldn't run the definite properties analysis on them.