Bug 1505181 - Use canonical function in TypeNewScript::rollbackPartiallyInitializedObjects. r=bhackett

Differential Revision: https://phabricator.services.mozilla.com/D11224 --HG-- extra : amend_source : 1b0f328e605ffb06cb89234c3b7cc7b33395e8ce
2018-11-07 21:12:45 +01:00 · 2018-11-07 21:12:45 +01:00 · 37f442272e
--- a/js/src/vm/JSFunction.h
+++ b/js/src/vm/JSFunction.h
@ -575,6 +575,19 @@ class JSFunction : public js::NativeObject
        return nonLazyScript();
    }

+    // If this is a scripted function, returns its canonical function (the
+    // original function allocated by the frontend). Note that lazy self-hosted
+    // builtins don't have a lazy script so in that case we also return nullptr.
+    JSFunction* maybeCanonicalFunction() const {
+        if (hasScript()) {
+            return nonLazyScript()->functionNonDelazifying();
+        }
+        if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
+            return lazyScript()->functionNonDelazifying();
+        }
+        return nullptr;
+    }
+
    // The state of a JSFunction whose script errored out during bytecode
    // compilation. Such JSFunctions are only reachable via GC iteration and
    // not from script.
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@ -521,14 +521,7 @@ ObjectGroup::defaultNewGroup(JSContext* cx, const Class* clasp,
        if (associated->is<JSFunction>()) {

            // Canonicalize new functions to use the original one associated with its script.
-            JSFunction* fun = &associated->as<JSFunction>();
-            if (fun->hasScript()) {
-                associated = fun->nonLazyScript()->functionNonDelazifying();
-            } else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin()) {
-                associated = fun->lazyScript()->functionNonDelazifying();
-            } else {
-                associated = nullptr;
-            }
+            associated = associated->as<JSFunction>().maybeCanonicalFunction();

            // If we have previously cleared the 'new' script information for this
            // function, don't try to construct another one.
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@ -4025,6 +4025,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
    MOZ_ASSERT(!group->newScript(sweep));
    MOZ_ASSERT(!group->maybeUnboxedLayout(sweep));

+    // rollbackPartiallyInitializedObjects expects function_ to be
+    // canonicalized.
+    MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
    if (group->unknownProperties(sweep)) {
        return true;
    }
@ -4404,7 +4408,13 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
            }
        }

-        if (!iter.isConstructing() || !iter.matchCallee(cx, function)) {
+        if (!iter.isConstructing()) {
+            continue;
+        }
+
+        MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+        if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
            continue;
        }