From c482d0b4b54657331b4a5b9ce3f4dd6bcfd9cd53 Mon Sep 17 00:00:00 2001 From: Cameron Kaiser Date: Wed, 21 Aug 2019 21:25:50 -0700 Subject: [PATCH] #533: backout 'eliminate one potential cause' for crashes in GC --- js/src/frontend/FullParseHandler.h | 8 -------- js/src/frontend/Parser.cpp | 8 +------- js/src/jsscript.cpp | 2 -- js/src/jsscript.h | 14 +++----------- 4 files changed, 4 insertions(+), 28 deletions(-) diff --git a/js/src/frontend/FullParseHandler.h b/js/src/frontend/FullParseHandler.h index 9674ce341..e26d6fb47 100644 --- a/js/src/frontend/FullParseHandler.h +++ b/js/src/frontend/FullParseHandler.h @@ -1018,14 +1018,6 @@ class FullParseHandler syntaxParser = nullptr; } - // TenFourFox issue 533, from M1263355 - bool canSkipLazyInnerFunctions() { - return !!lazyOuterFunction_; - } - bool canSkipLazyClosedOverBindings() { - return !!lazyOuterFunction_; - } - LazyScript* lazyOuterFunction() { return lazyOuterFunction_; } diff --git a/js/src/frontend/Parser.cpp b/js/src/frontend/Parser.cpp index ab3150833..ab0b945ee 100644 --- a/js/src/frontend/Parser.cpp +++ b/js/src/frontend/Parser.cpp @@ -1120,11 +1120,8 @@ Parser::defineFunctionThis() // Also define a this-binding if direct eval is used, in derived class // constructors (JSOP_CHECKRETURN relies on it) or if there's a debugger - // statement, or if this is a lazy script that has a this-binding - // (TenFourFox issue 533). + // statement. if (pc->sc->hasDirectEval() || - (handler.canSkipLazyClosedOverBindings() && - pc->sc->asFunctionBox()->function()->lazyScript()->hasThisBinding()) || pc->sc->asFunctionBox()->isDerivedClassConstructor() || pc->sc->hasDebuggerStatement()) { @@ -2939,9 +2936,6 @@ Parser::finishFunctionDefinition(Node pn, FunctionBox* funbo lazy->setIsDerivedClassConstructor(); if (funbox->needsHomeObject()) lazy->setNeedsHomeObject(); - // TenFourFox issue 533 - if (funbox->hasThisBinding()) - lazy->setHasThisBinding(); PropagateTransitiveParseFlags(funbox, lazy); fun->initLazyScript(lazy); diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp index 011c9d34a..c2a7afae2 100644 --- a/js/src/jsscript.cpp +++ b/js/src/jsscript.cpp @@ -4282,7 +4282,6 @@ LazyScript::CreateRaw(ExclusiveContext* cx, HandleFunction fun, p.hasBeenCloned = false; p.treatAsRunOnce = false; p.isAsync = false; - p.hasThisBinding = false; size_t bytes = (p.numFreeVariables * sizeof(FreeVariable)) + (p.numInnerFunctions * sizeof(HeapPtrFunction)); @@ -4313,7 +4312,6 @@ LazyScript::CreateRaw(ExclusiveContext* cx, HandleFunction fun, }; p.version = version; - p.hasThisBinding = false; p.numFreeVariables = numFreeVariables; p.isAsync = false; p.numInnerFunctions = numInnerFunctions; diff --git a/js/src/jsscript.h b/js/src/jsscript.h index 1a72c7464..90eb07ed9 100644 --- a/js/src/jsscript.h +++ b/js/src/jsscript.h @@ -2150,7 +2150,7 @@ class LazyScript : public gc::TenuredCell // instead of private to suppress -Wunused-private-field compiler warnings. protected: #if JS_BITS_PER_WORD == 32 - //uint32_t padding; // widened after TenFourFox issue 533 + uint32_t padding; #endif private: @@ -2158,7 +2158,8 @@ class LazyScript : public gc::TenuredCell // Assorted bits that should really be in ScriptSourceObject. uint32_t version : 8; - uint32_t numFreeVariables : 22; + uint32_t numFreeVariables : 23; + uint32_t isAsync: 1; uint32_t numInnerFunctions : 20; uint32_t generatorKindBits : 2; @@ -2166,8 +2167,6 @@ class LazyScript : public gc::TenuredCell // N.B. These are booleans but need to be uint32_t to pack correctly on MSVC. // If you add another boolean here, make sure to initialze it in // LazyScript::CreateRaw(). - uint32_t hasThisBinding : 1; - uint32_t isAsync: 1; uint32_t strict : 1; uint32_t bindingsAccessedDynamically : 1; uint32_t hasDebuggerStatement : 1; @@ -2369,13 +2368,6 @@ class LazyScript : public gc::TenuredCell p_.needsHomeObject = true; } - bool hasThisBinding() const { - return p_.hasThisBinding; - } - void setHasThisBinding() { - p_.hasThisBinding = true; - } - const char* filename() const { return scriptSource()->filename(); }