mirror of
https://github.com/classilla/tenfourfox.git
synced 2025-02-06 02:30:56 +00:00
#534: M1505181 M1506640
This commit is contained in:
parent
de66c97dac
commit
5fc65abade
@ -425,6 +425,19 @@ class JSFunction : public js::NativeObject
|
||||
return nonLazyScript();
|
||||
}
|
||||
|
||||
// If this is a scripted function, returns its canonical function (the
|
||||
// original function allocated by the frontend). Note that lazy self-hosted
|
||||
// builtins don't have a lazy script so in that case we also return nullptr.
|
||||
JSFunction* maybeCanonicalFunction() const {
|
||||
if (hasScript()) {
|
||||
return nonLazyScript()->functionNonDelazifying();
|
||||
}
|
||||
if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
|
||||
return lazyScript()->functionNonDelazifying();
|
||||
}
|
||||
return nullptr;
|
||||
}
|
||||
|
||||
// The state of a JSFunction whose script errored out during bytecode
|
||||
// compilation. Such JSFunctions are only reachable via GC iteration and
|
||||
// not from script.
|
||||
|
@ -6172,6 +6172,8 @@ GCRuntime::incrementalCollectSlice(SliceBudget& budget, JS::gcreason::Reason rea
|
||||
/* fall through */
|
||||
|
||||
case SWEEP:
|
||||
AutoGCRooter::traceAllWrappers(&marker);
|
||||
|
||||
if (sweepPhase(budget) == NotFinished)
|
||||
break;
|
||||
|
||||
|
@ -484,13 +484,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
|
||||
if (associated->is<JSFunction>()) {
|
||||
|
||||
// Canonicalize new functions to use the original one associated with its script.
|
||||
JSFunction* fun = &associated->as<JSFunction>();
|
||||
if (fun->hasScript())
|
||||
associated = fun->nonLazyScript()->functionNonDelazifying();
|
||||
else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
|
||||
associated = fun->lazyScript()->functionNonDelazifying();
|
||||
else
|
||||
associated = nullptr;
|
||||
associated = associated->as<JSFunction>().maybeCanonicalFunction();
|
||||
|
||||
// If we have previously cleared the 'new' script information for this
|
||||
// function, don't try to construct another one.
|
||||
|
@ -3526,6 +3526,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
|
||||
MOZ_ASSERT(!group->newScript());
|
||||
MOZ_ASSERT(!group->maybeUnboxedLayout());
|
||||
|
||||
// rollbackPartiallyInitializedObjects expects function_ to be
|
||||
// canonicalized.
|
||||
MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
|
||||
|
||||
if (group->unknownProperties())
|
||||
return true;
|
||||
|
||||
@ -3883,8 +3887,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
|
||||
oomUnsafe.crash("rollbackPartiallyInitializedObjects");
|
||||
}
|
||||
|
||||
if (!iter.isConstructing() || !iter.matchCallee(cx, function))
|
||||
if (!iter.isConstructing()) {
|
||||
continue;
|
||||
}
|
||||
|
||||
MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
|
||||
|
||||
if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
|
||||
continue;
|
||||
}
|
||||
|
||||
// Derived class constructors initialize their this-binding later and
|
||||
// we shouldn't run the definite properties analysis on them.
|
||||
|
Loading…
x
Reference in New Issue
Block a user