Bug 1143106 - Fix construction of singleton objects during parsing when unboxed objects are in use, r=jandem.

2015-03-18 08:42:30 -07:00 · 2015-03-18 08:42:30 -07:00 · 5d733811e9
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@ -4243,8 +4243,11 @@ EmitAssignment(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *lhs, JSOp
 }

 bool
-ParseNode::getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObjects, MutableHandleValue vp)
+ParseNode::getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObjects, MutableHandleValue vp,
+                            NewObjectKind newKind)
 {
+    MOZ_ASSERT(newKind == TenuredObject || newKind == SingletonObject);
+
    switch (getKind()) {
      case PNK_NUMBER:
        vp.setNumber(pn_dval);
@ -4284,8 +4287,7 @@ ParseNode::getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObje
            pn = pn_head;
        }

-        RootedArrayObject obj(cx, NewDenseFullyAllocatedArray(cx, count, NullPtr(),
-                                                              MaybeSingletonObject));
+        RootedArrayObject obj(cx, NewDenseFullyAllocatedArray(cx, count, NullPtr(), newKind));
        if (!obj)
            return false;

@ -4348,7 +4350,7 @@ ParseNode::getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObje
        }

        JSObject *obj = ObjectGroup::newPlainObject(cx, properties.begin(), properties.length(),
-                                                    TenuredObject);
+                                                    newKind);
        if (!obj)
            return false;

@ -4364,15 +4366,15 @@ ParseNode::getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObje
 static bool
 EmitSingletonInitialiser(ExclusiveContext *cx, BytecodeEmitter *bce, ParseNode *pn)
 {
+    NewObjectKind newKind = (pn->getKind() == PNK_OBJECT) ? SingletonObject : TenuredObject;
+
    RootedValue value(cx);
-    if (!pn->getConstantValue(cx, ParseNode::AllowObjects, &value))
+    if (!pn->getConstantValue(cx, ParseNode::AllowObjects, &value, newKind))
        return false;

-    RootedNativeObject obj(cx, &value.toObject().as<NativeObject>());
-    if (!obj->is<ArrayObject>() && !JSObject::setSingleton(cx, obj))
-        return false;
+    MOZ_ASSERT_IF(newKind == SingletonObject, value.toObject().isSingleton());

-    ObjectBox *objbox = bce->parser->newObjectBox(obj);
+    ObjectBox *objbox = bce->parser->newObjectBox(&value.toObject());
    if (!objbox)
        return false;

--- a/js/src/frontend/ParseNode.cpp
+++ b/js/src/frontend/ParseNode.cpp
@ -1091,7 +1091,7 @@ NameNode::dump(int indent)
 }
 #endif

-ObjectBox::ObjectBox(NativeObject *object, ObjectBox* traceLink)
+ObjectBox::ObjectBox(JSObject *object, ObjectBox* traceLink)
  : object(object),
    traceLink(traceLink),
    emitLink(nullptr)
--- a/js/src/frontend/ParseNode.h
+++ b/js/src/frontend/ParseNode.h
@ -872,7 +872,8 @@ class ParseNode
        AllowObjects
    };

-    bool getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObjects, MutableHandleValue vp);
+    bool getConstantValue(ExclusiveContext *cx, AllowConstantObjects allowObjects, MutableHandleValue vp,
+                          NewObjectKind newKind = TenuredObject);
    inline bool isConstant();

    template <class NodeType>
@ -1634,9 +1635,9 @@ ParseNode::isConstant()
 class ObjectBox
 {
  public:
-    NativeObject *object;
+    JSObject *object;

-    ObjectBox(NativeObject *object, ObjectBox *traceLink);
+    ObjectBox(JSObject *object, ObjectBox *traceLink);
    bool isFunctionBox() { return object->is<JSFunction>(); }
    FunctionBox *asFunctionBox();
    void trace(JSTracer *trc);
--- a/js/src/frontend/Parser.cpp
+++ b/js/src/frontend/Parser.cpp
@ -563,7 +563,7 @@ Parser<ParseHandler>::~Parser()

 template <typename ParseHandler>
 ObjectBox *
-Parser<ParseHandler>::newObjectBox(NativeObject *obj)
+Parser<ParseHandler>::newObjectBox(JSObject *obj)
 {
    MOZ_ASSERT(obj && !IsPoisonedPtr(obj));

--- a/js/src/frontend/Parser.h
+++ b/js/src/frontend/Parser.h
@ -432,7 +432,7 @@ class Parser : private JS::AutoGCRooter, public StrictModeGetter
     * Allocate a new parsed object or function container from
     * cx->tempLifoAlloc.
     */
-    ObjectBox *newObjectBox(NativeObject *obj);
+    ObjectBox *newObjectBox(JSObject *obj);
    FunctionBox *newFunctionBox(Node fn, JSFunction *fun, ParseContext<ParseHandler> *pc,
                                Directives directives, GeneratorKind generatorKind);

--- a/js/src/jit-test/tests/basic/bug1143106.js
+++ b/js/src/jit-test/tests/basic/bug1143106.js
@ -0,0 +1,8 @@
+({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
+({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
+({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}), ({x:3}),
+({x:3}), ({x:3}), ({x:3})
+
+[{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},
+ {x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3},
+ {x:3},{x:3},{x:3},{x:3},{x:3},{x:3},{x:3}]
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@ -72,6 +72,9 @@ UnboxedLayout::makeConstructorCode(JSContext *cx, HandleObjectGroup group)
 {
    using namespace jit;

+    if (!cx->compartment()->ensureJitCompartmentExists(cx))
+        return false;
+
    UnboxedLayout &layout = group->unboxedLayout();
    MOZ_ASSERT(!layout.constructorCode());