зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1352510 - Handle already-invalidated IonScripts in ArrayPushDense. r=h4writer
--HG-- extra : rebase_source : 807ed6f72eb353020a4460ba0137e37f88245f6b
This commit is contained in:
Родитель
c8124fabe7
Коммит
3d34d9a8de
|
@ -0,0 +1,8 @@
|
|||
function maybeSetLength(arr, b) {
|
||||
if (b) arr.length = 0x7fffffff;
|
||||
}
|
||||
var arr = [];
|
||||
for (var i = 0; i < 2000; i++) {
|
||||
maybeSetLength(arr, i > 1500);
|
||||
var res = arr.push((0.017453));
|
||||
}
|
|
@ -356,8 +356,17 @@ ArrayPushDense(JSContext* cx, HandleObject obj, HandleValue v, uint32_t* length)
|
|||
return result == DenseElementResult::Success;
|
||||
}
|
||||
|
||||
// AutoDetectInvalidation uses GetTopJitJSScript(cx)->ionScript(), but it's
|
||||
// possible the SetOrExtendAnyBoxedOrUnboxedDenseElements call already
|
||||
// invalidated the IonScript. JitFrameIterator::ionScript works when the
|
||||
// script is invalidated so we use that instead.
|
||||
JitFrameIterator it(cx);
|
||||
MOZ_ASSERT(it.type() == JitFrame_Exit);
|
||||
++it;
|
||||
IonScript* ionScript = it.ionScript();
|
||||
|
||||
JS::AutoValueArray<3> argv(cx);
|
||||
AutoDetectInvalidation adi(cx, argv[0]);
|
||||
AutoDetectInvalidation adi(cx, argv[0], ionScript);
|
||||
argv[0].setUndefined();
|
||||
argv[1].setObject(*obj);
|
||||
argv[2].set(v);
|
||||
|
|
Загрузка…
Ссылка в новой задаче