Bug 1090583 part 2 - Fix the property count check in MonitorAssign to check the actual count instead of the capacity. r=bhackett

2024-10-12 12:55:46 +00:00 · 2015-03-11 11:58:25 +01:00 · 2015-03-11 11:58:25 +01:00 · 1f3dbeca3b
commit 1f3dbeca3b
parent 52df648372
2 changed files with 9 additions and 3 deletions
--- a/js/src/vm/ObjectGroup.h
+++ b/js/src/vm/ObjectGroup.h
@ -491,6 +491,11 @@ class ObjectGroup : public gc::TenuredCell
    /* Get a property only if it already exists. */
    inline HeapTypeSet *maybeGetProperty(jsid id);

+    /*
+     * Iterate through the group's properties. getPropertyCount overapproximates
+     * in the hash case (see SET_ARRAY_SIZE in TypeInference-inl.h), and
+     * getProperty may return nullptr.
+     */
    inline unsigned getPropertyCount();
    inline Property *getProperty(unsigned i);

@ -559,8 +564,9 @@ class ObjectGroup : public gc::TenuredCell
        return Addendum_OriginalUnboxedGroup << OBJECT_FLAG_ADDENDUM_SHIFT;
    }

-  private:
    inline uint32_t basePropertyCount();
+
+  private:
    inline void setBasePropertyCount(uint32_t count);

    static void staticAsserts() {
--- a/js/src/vm/TypeInference-inl.h
+++ b/js/src/vm/TypeInference-inl.h
@ -611,8 +611,8 @@ TypeScript::MonitorAssign(JSContext *cx, HandleObject obj, jsid id)
        // But if we don't have too many properties yet, don't do anything.  The
        // idea here is that normal object initialization should not trigger
        // deoptimization in most cases, while actual usage as a hashmap should.
-        ObjectGroup* group = obj->group();
-        if (group->getPropertyCount() < 128)
+        ObjectGroup *group = obj->group();
+        if (group->basePropertyCount() < 128)
            return;
        MarkObjectGroupUnknownProperties(cx, group);
    }