From 5b7b61b5370909c30761ae1186b40a59989ca4ff Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Mon, 26 Jan 2015 08:17:45 -0700 Subject: [PATCH] Bug 1124651 - Make sure type sets with unknown-properties objects are marked as unknown if those objects are swept, r=jandem. --- js/src/jsinfer.cpp | 22 ++++++++++++++++++---- 1 file changed, 18 insertions(+), 4 deletions(-) diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp index a60c7de2051d..f7a413e9e401 100644 --- a/js/src/jsinfer.cpp +++ b/js/src/jsinfer.cpp @@ -4612,7 +4612,9 @@ ConstraintTypeSet::sweep(Zone *zone, AutoClearTypeInferenceStateOnOOM &oom) objectCount = 0; for (unsigned i = 0; i < oldCapacity; i++) { TypeObjectKey *object = oldArray[i]; - if (object && !IsAboutToBeFinalized(&object)) { + if (!object) + continue; + if (!IsAboutToBeFinalized(&object)) { TypeObjectKey **pentry = HashSetInsert (zone->types.typeLifoAlloc, objectSet, objectCount, object); @@ -4625,16 +4627,28 @@ ConstraintTypeSet::sweep(Zone *zone, AutoClearTypeInferenceStateOnOOM &oom) objectCount = 0; break; } + } else if (object->isTypeObject() && object->asTypeObject()->unknownProperties()) { + // Object sets containing objects with unknown properties might + // not be complete. Mark the type set as unknown, which it will + // be treated as during Ion compilation. + flags |= TYPE_FLAG_ANYOBJECT; + clearObjects(); + objectCount = 0; + break; } } setBaseObjectCount(objectCount); } else if (objectCount == 1) { TypeObjectKey *object = (TypeObjectKey *) objectSet; - if (IsAboutToBeFinalized(&object)) { + if (!IsAboutToBeFinalized(&object)) { + objectSet = reinterpret_cast(object); + } else { + // As above, mark type sets containing objects with unknown + // properties as unknown. + if (object->isTypeObject() && object->asTypeObject()->unknownProperties()) + flags |= TYPE_FLAG_ANYOBJECT; objectSet = nullptr; setBaseObjectCount(0); - } else { - objectSet = reinterpret_cast(object); } }