From 1f3dbeca3ba9e76d9bc7aa7248cd09483a819bf8 Mon Sep 17 00:00:00 2001 From: Jan de Mooij Date: Wed, 11 Mar 2015 11:58:25 +0100 Subject: [PATCH] Bug 1090583 part 2 - Fix the property count check in MonitorAssign to check the actual count instead of the capacity. r=bhackett --- js/src/vm/ObjectGroup.h | 8 +++++++- js/src/vm/TypeInference-inl.h | 4 ++-- 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/js/src/vm/ObjectGroup.h b/js/src/vm/ObjectGroup.h index be4e0497b51d..7ad274bdda61 100644 --- a/js/src/vm/ObjectGroup.h +++ b/js/src/vm/ObjectGroup.h @@ -491,6 +491,11 @@ class ObjectGroup : public gc::TenuredCell /* Get a property only if it already exists. */ inline HeapTypeSet *maybeGetProperty(jsid id); + /* + * Iterate through the group's properties. getPropertyCount overapproximates + * in the hash case (see SET_ARRAY_SIZE in TypeInference-inl.h), and + * getProperty may return nullptr. + */ inline unsigned getPropertyCount(); inline Property *getProperty(unsigned i); @@ -559,8 +564,9 @@ class ObjectGroup : public gc::TenuredCell return Addendum_OriginalUnboxedGroup << OBJECT_FLAG_ADDENDUM_SHIFT; } - private: inline uint32_t basePropertyCount(); + + private: inline void setBasePropertyCount(uint32_t count); static void staticAsserts() { diff --git a/js/src/vm/TypeInference-inl.h b/js/src/vm/TypeInference-inl.h index f0de64379680..fe6d6fe9c8dc 100644 --- a/js/src/vm/TypeInference-inl.h +++ b/js/src/vm/TypeInference-inl.h @@ -611,8 +611,8 @@ TypeScript::MonitorAssign(JSContext *cx, HandleObject obj, jsid id) // But if we don't have too many properties yet, don't do anything. The // idea here is that normal object initialization should not trigger // deoptimization in most cases, while actual usage as a hashmap should. - ObjectGroup* group = obj->group(); - if (group->getPropertyCount() < 128) + ObjectGroup *group = obj->group(); + if (group->basePropertyCount() < 128) return; MarkObjectGroupUnknownProperties(cx, group); }