Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-12-04 11:26:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1285217 - Handle OOM in IonBuilder::testNotDefinedProperty. r=jandem

Browse Source
This commit is contained in:
Nicolas B. Pierron 2016-07-13 10:15:20 +00:00
parent 17af524d85
commit 08c21398e5
4 changed files with 43 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
js/src/jit-test/tests/ion/bug1285217.js Normal file
View File

@ -0,0 +1,11 @@
function f() {
var o = {
x: 1
};
for (var i = 0; i < 300; i++) o = Object.create(o);
for (var i = 0; i < 15; i++) {
assertEq(o.x, 1);
eval(o.y, undefined);
}
}
f();

27
js/src/jit/IonBuilder.cpp
View File

@ -8270,12 +8270,12 @@ IonBuilder::testSingletonPropertyTypes(MDefinition* obj, jsid id)
return nullptr;
}
bool
ResultWithOOM<bool>
IonBuilder::testNotDefinedProperty(MDefinition* obj, jsid id)
{
TemporaryTypeSet* types = obj->resultTypeSet();
if (!types || types->unknownObject() || types->getKnownMIRType() != MIRType::Object)
return false;
return ResultWithOOM<bool>::ok(false);
for (unsigned i = 0, count = types->getObjectCount(); i < count; i++) {
TypeSet::ObjectKey* key = types->getObject(i);
@ -8283,12 +8283,15 @@ IonBuilder::testNotDefinedProperty(MDefinition* obj, jsid id)
continue;
while (true) {
if (!alloc().ensureBallast())
return ResultWithOOM<bool>::fail();
if (!key->hasStableClassAndProto(constraints()) || key->unknownProperties())
return false;
return ResultWithOOM<bool>::ok(false);
const Class* clasp = key->clasp();
if (!ClassHasEffectlessLookup(clasp) || ObjectHasExtraOwnProperty(compartment, key, id))
return false;
return ResultWithOOM<bool>::ok(false);
// If the object is a singleton, we can do a lookup now to avoid
// unnecessary invalidations later on, in case the property types
@ -8297,12 +8300,12 @@ IonBuilder::testNotDefinedProperty(MDefinition* obj, jsid id)
key->singleton()->is<NativeObject>() &&
key->singleton()->as<NativeObject>().lookupPure(id))
{
return false;
return ResultWithOOM<bool>::ok(false);
}
HeapTypeSetKey property = key->property(id);
if (property.isOwnProperty(constraints()))
return false;
return ResultWithOOM<bool>::ok(false);
JSObject* proto = checkNurseryObject(key->proto().toObjectOrNull());
if (!proto)
@ -8311,7 +8314,7 @@ IonBuilder::testNotDefinedProperty(MDefinition* obj, jsid id)
}
}
return true;
return ResultWithOOM<bool>::ok(true);
}
bool
@ -11686,7 +11689,10 @@ IonBuilder::getPropTryNotDefined(bool* emitted, MDefinition* obj, jsid id, Tempo
return true;
}
if (!testNotDefinedProperty(obj, id)) {
ResultWithOOM<bool> res = testNotDefinedProperty(obj, id);
if (res.oom)
return false;
if (!res.value) {
trackOptimizationOutcome(TrackedOutcome::GenericFailure);
return true;
}
@ -13803,7 +13809,10 @@ IonBuilder::inTryFold(bool* emitted, MDefinition* obj, MDefinition* id)
if (propId != IdToTypeId(propId))
return true;
if (!testNotDefinedProperty(obj, propId))
ResultWithOOM<bool> res = testNotDefinedProperty(obj, propId);
if (res.oom)
return false;
if (!res.value)
return true;
*emitted = true;

2
js/src/jit/IonBuilder.h
View File

@ -1048,7 +1048,7 @@ class IonBuilder
JSObject* testSingletonProperty(JSObject* obj, jsid id);
JSObject* testSingletonPropertyTypes(MDefinition* obj, jsid id);
MOZ_MUST_USE bool testNotDefinedProperty(MDefinition* obj, jsid id);
ResultWithOOM<bool> testNotDefinedProperty(MDefinition* obj, jsid id);
uint32_t getDefiniteSlot(TemporaryTypeSet* types, PropertyName* name, uint32_t* pnfixed);
MDefinition* convertUnboxedObjects(MDefinition* obj);

13
js/src/jit/MIR.h
View File

@ -44,6 +44,19 @@ namespace jit {
class BaselineInspector;
class Range;
template <typename T>
struct ResultWithOOM {
T value;
bool oom;
static ResultWithOOM<T> ok(T val) {
return { val, false };
}
static ResultWithOOM<T> fail() {
return { T(), true };
}
};
static inline
MIRType MIRTypeFromValue(const js::Value& vp)
{