mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Backed out changeset 8f3feee73843 (bug 1279992) for browser_pdfjs_main.js crashes on a CLOSED TREE.

This commit is contained in:
Ryan VanderMeulen 2016-07-21 14:41:49 -04:00
Родитель ef2a95b47d
Коммит 76cac2b034
14 изменённых файлов: 45 добавлений и 170 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

8
js/src/jit/BaselineIC.cpp
Просмотреть файл

@ -5502,12 +5502,8 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs&
}
}
if (args.length() == 1) {
size_t len = 0;
if (args[0].isInt32() && args[0].toInt32() >= 0)
len = args[0].toInt32();
if (args.length() == 1 && args[0].isInt32() && args[0].toInt32() >= 0) {
uint32_t len = args[0].toInt32();
if (TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
return !!res;
}

29
js/src/jit/CodeGenerator.cpp
Просмотреть файл

@ -5440,34 +5440,7 @@ CodeGenerator::visitNewTypedArray(LNewTypedArray* lir)
masm.createGCObject(objReg, tempReg, templateObject, initialHeap,
ool->entry(), /*initContents*/true, /*convertDoubleElements*/false);
masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(),
ttemplate, TypedArrayLength::Fixed);
masm.bind(ool->rejoin());
}
void
CodeGenerator::visitNewTypedArrayDynamicLength(LNewTypedArrayDynamicLength* lir)
{
Register lengthReg = ToRegister(lir->length());
Register objReg = ToRegister(lir->output());
Register tempReg = ToRegister(lir->temp());
LiveRegisterSet liveRegs = lir->safepoint()->liveRegs();
JSObject* templateObject = lir->mir()->templateObject();
gc::InitialHeap initialHeap = lir->mir()->initialHeap();
TypedArrayObject* ttemplate = &templateObject->as<TypedArrayObject>();
OutOfLineCode* ool = oolCallVM(TypedArrayConstructorOneArgInfo, lir,
ArgList(ImmGCPtr(templateObject), lengthReg),
StoreRegisterTo(objReg));
masm.createGCObject(objReg, tempReg, templateObject, initialHeap,
ool->entry(), /*initContents*/true, /*convertDoubleElements*/false);
masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(),
ttemplate, TypedArrayLength::Dynamic);
masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(), ttemplate);
masm.bind(ool->rejoin());
}

1
js/src/jit/CodeGenerator.h
Просмотреть файл

@ -195,7 +195,6 @@ class CodeGenerator final : public CodeGeneratorSpecific
void visitNewArrayCopyOnWrite(LNewArrayCopyOnWrite* lir);
void visitNewArrayDynamicLength(LNewArrayDynamicLength* lir);
void visitNewTypedArray(LNewTypedArray* lir);
void visitNewTypedArrayDynamicLength(LNewTypedArrayDynamicLength* lir);
void visitNewObjectVMCall(LNewObject* lir);
void visitNewObject(LNewObject* lir);
void visitOutOfLineNewObject(OutOfLineNewObject* ool);

11
js/src/jit/Lowering.cpp
Просмотреть файл

@ -247,17 +247,6 @@ LIRGenerator::visitNewTypedArray(MNewTypedArray* ins)
assignSafepoint(lir, ins);
}
void
LIRGenerator::visitNewTypedArrayDynamicLength(MNewTypedArrayDynamicLength* ins)
{
MDefinition* length = ins->length();
MOZ_ASSERT(length->type() == MIRType::Int32);
LNewTypedArrayDynamicLength* lir = new(alloc()) LNewTypedArrayDynamicLength(useRegister(length), temp());
define(lir, ins);
assignSafepoint(lir, ins);
}
void
LIRGenerator::visitNewObject(MNewObject* ins)
{

1
js/src/jit/Lowering.h
Просмотреть файл

@ -75,7 +75,6 @@ class LIRGenerator : public LIRGeneratorSpecific
void visitNewArrayCopyOnWrite(MNewArrayCopyOnWrite* ins);
void visitNewArrayDynamicLength(MNewArrayDynamicLength* ins);
void visitNewTypedArray(MNewTypedArray* ins);
void visitNewTypedArrayDynamicLength(MNewTypedArrayDynamicLength* ins);
void visitNewObject(MNewObject* ins);
void visitNewTypedObject(MNewTypedObject* ins);
void visitNewDeclEnvObject(MNewDeclEnvObject* ins);

35
js/src/jit/MCallOptimize.cpp
Просмотреть файл

@ -2302,6 +2302,9 @@ IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
if (arg->type() != MIRType::Int32)
return InliningStatus_NotInlined;
if (!arg->maybeConstantValue())
return InliningStatus_NotInlined;
JSObject* templateObject = inspector->getTemplateObjectForNative(pc, native);
if (!templateObject) {
@ -2317,30 +2320,22 @@ IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
if (templateObject->isSingleton())
return InliningStatus_NotInlined;
MInstruction* ins = nullptr;
// Negative lengths must throw a RangeError. (We don't track that this
// might have previously thrown, when determining whether to inline, so we
// have to deal with this error case when inlining.)
int32_t providedLen = arg->maybeConstantValue()->toInt32();
if (providedLen < 0)
return InliningStatus_NotInlined;
if (!arg->isConstant()) {
callInfo.setImplicitlyUsedUnchecked();
ins = MNewTypedArrayDynamicLength::New(alloc(), constraints(), templateObject,
templateObject->group()->initialHeap(constraints()),
arg);
} else {
// Negative lengths must throw a RangeError. (We don't track that this
// might have previously thrown, when determining whether to inline, so we
// have to deal with this error case when inlining.)
int32_t providedLen = arg->maybeConstantValue()->toInt32();
if (providedLen < 0)
return InliningStatus_NotInlined;
uint32_t len = AssertedCast<uint32_t>(providedLen);
uint32_t len = AssertedCast<uint32_t>(providedLen);
if (obj->length() != len)
return InliningStatus_NotInlined;
if (obj->length() != len)
return InliningStatus_NotInlined;
callInfo.setImplicitlyUsedUnchecked();
callInfo.setImplicitlyUsedUnchecked();
ins = MNewTypedArray::New(alloc(), constraints(), obj,
obj->group()->initialHeap(constraints()));
}
MInstruction* ins = MNewTypedArray::New(alloc(), constraints(), obj,
obj->group()->initialHeap(constraints()));
current->add(ins);
current->push(ins);

44
js/src/jit/MIR.h
Просмотреть файл

@ -3333,50 +3333,6 @@ class MNewTypedArray : public MNullaryInstruction
}
};
class MNewTypedArrayDynamicLength
: public MUnaryInstruction,
public IntPolicy<0>::Data
{
CompilerObject templateObject_;
gc::InitialHeap initialHeap_;
MNewTypedArrayDynamicLength(CompilerConstraintList* constraints, JSObject* templateObject,
gc::InitialHeap initialHeap, MDefinition* length)
: MUnaryInstruction(length),
templateObject_(templateObject),
initialHeap_(initialHeap)
{
setGuard(); // Need to throw if length is negative.
setResultType(MIRType::Object);
if (!templateObject->isSingleton())
setResultTypeSet(MakeSingletonTypeSet(constraints, templateObject));
}
public:
INSTRUCTION_HEADER(NewTypedArrayDynamicLength)
static MNewTypedArrayDynamicLength* New(TempAllocator& alloc, CompilerConstraintList* constraints,
JSObject* templateObject, gc::InitialHeap initialHeap,
MDefinition* length)
{
return new(alloc) MNewTypedArrayDynamicLength(constraints, templateObject, initialHeap, length);
}
MDefinition* length() const {
return getOperand(0);
}
JSObject* templateObject() const {
return templateObject_;
}
gc::InitialHeap initialHeap() const {
return initialHeap_;
}
virtual AliasSet getAliasSet() const override {
return AliasSet::None();
}
};
class MNewObject
: public MUnaryInstruction,
public NoTypePolicy::Data

1
js/src/jit/MOpcodes.h
Просмотреть файл

@ -130,7 +130,6 @@ namespace jit {
_(NewArrayCopyOnWrite) \
_(NewArrayDynamicLength) \
_(NewTypedArray) \
_(NewTypedArrayDynamicLength) \
_(NewObject) \
_(NewTypedObject) \
_(NewDeclEnvObject) \

7
js/src/jit/MacroAssembler.cpp
Просмотреть файл

@ -1059,7 +1059,7 @@ JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
void
MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register lengthReg,
LiveRegisterSet liveRegs, Label* fail,
TypedArrayObject* templateObj, TypedArrayLength lengthKind)
TypedArrayObject* templateObj)
{
MOZ_ASSERT(templateObj->hasPrivate());
MOZ_ASSERT(!templateObj->hasBuffer());
@ -1074,7 +1074,7 @@ MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register length
int32_t length = templateObj->length();
size_t nbytes = length * templateObj->bytesPerElement();
if (lengthKind == TypedArrayLength::Fixed && dataOffset + nbytes <= JSObject::MAX_BYTE_SIZE) {
if (dataOffset + nbytes <= JSObject::MAX_BYTE_SIZE) {
MOZ_ASSERT(dataOffset + nbytes <= templateObj->tenuredSizeOfThis());
// Store data elements inside the remaining JSObject slots.
@ -1093,8 +1093,7 @@ MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register length
for (size_t i = 0; i < numZeroPointers; i++)
storePtr(ImmWord(0), Address(obj, dataOffset + i * sizeof(char *)));
} else {
if (lengthKind == TypedArrayLength::Fixed)
move32(Imm32(length), lengthReg);
move32(Imm32(length), lengthReg);
// Allocate a buffer on the heap to store the data elements.
liveRegs.addUnchecked(temp);

3
js/src/jit/MacroAssembler.h
Просмотреть файл

@ -35,7 +35,6 @@
#include "jit/VMFunctions.h"
#include "vm/ProxyObject.h"
#include "vm/Shape.h"
#include "vm/TypedArrayObject.h"
#include "vm/UnboxedObject.h"
// * How to read/write MacroAssembler method declarations:
@ -1529,7 +1528,7 @@ class MacroAssembler : public MacroAssemblerSpecific
bool initContents = true, bool convertDoubleElements = false);
void initTypedArraySlots(Register obj, Register temp, Register lengthReg,
LiveRegisterSet liveRegs, Label* fail,
TypedArrayObject* templateObj, TypedArrayLength lengthKind);
TypedArrayObject* templateObj);
void initUnboxedObjectContents(Register object, UnboxedPlainObject* templateObject);

22
js/src/jit/shared/LIR-shared.h
Просмотреть файл

@ -1084,28 +1084,6 @@ class LNewTypedArray : public LInstructionHelper<1, 0, 2>
}
};
class LNewTypedArrayDynamicLength : public LInstructionHelper<1, 1, 1>
{
public:
LIR_HEADER(NewTypedArrayDynamicLength)
explicit LNewTypedArrayDynamicLength(const LAllocation& length, const LDefinition& temp) {
setOperand(0, length);
setTemp(0, temp);
}
const LAllocation* length() {
return getOperand(0);
}
const LDefinition* temp() {
return getTemp(0);
}
MNewTypedArrayDynamicLength* mir() const {
return mir_->toNewTypedArrayDynamicLength();
}
};
class LNewObject : public LInstructionHelper<1, 0, 1>
{
public:

1
js/src/jit/shared/LOpcodes-shared.h
Просмотреть файл

@ -68,7 +68,6 @@
_(NewArrayCopyOnWrite) \
_(NewArrayDynamicLength) \
_(NewTypedArray) \
_(NewTypedArrayDynamicLength) \
_(ArraySplice) \
_(NewObject) \
_(NewTypedObject) \

50
js/src/vm/TypedArrayObject.cpp
Просмотреть файл

@ -43,7 +43,6 @@
#include "jsatominlines.h"
#include "gc/Nursery-inl.h"
#include "gc/StoreBuffer-inl.h"
#include "vm/ArrayBufferObject-inl.h"
#include "vm/NativeObject-inl.h"
@ -107,13 +106,6 @@ TypedArrayObject::ensureHasBuffer(JSContext* cx, Handle<TypedArrayObject*> tarra
// tarray is not shared, because if it were it would have a buffer.
memcpy(buffer->dataPointer(), tarray->viewDataUnshared(), tarray->byteLength());
// Free the data slot pointer if has no inline data
if (!tarray->hasInlineElements() && !cx->runtime()->gc.nursery.isInside(tarray->elements())) {
js_free(tarray->elements());
tarray->setInlineElements();
}
tarray->setPrivate(buffer->dataPointer());
tarray->setFixedSlot(TypedArrayObject::BUFFER_SLOT, ObjectValue(*buffer));
@ -170,7 +162,6 @@ TypedArrayObject::objectMovedDuringMinorGC(JSTracer* trc, JSObject* obj, const J
TypedArrayObject* newObj = &obj->as<TypedArrayObject>();
const TypedArrayObject* oldObj = &old->as<TypedArrayObject>();
MOZ_ASSERT(newObj->elements() == oldObj->elements());
MOZ_ASSERT(obj->isTenured());
// Typed arrays with a buffer object do not need an update.
if (oldObj->hasBuffer())
@ -604,6 +595,20 @@ class TypedArrayObjectTemplate : public TypedArrayObject
}
}
static void*
allocateTypedArrayElementsBuffer(JSContext* cx, uint32_t len)
{
if (len == 0)
return nullptr;
void* buf = cx->runtime()->pod_callocCanGC<HeapSlot>(len);
if (!buf) {
ReportOutOfMemory(cx);
return nullptr;
}
return buf;
}
static TypedArrayObject*
makeTypedArrayWithTemplate(JSContext* cx, TypedArrayObject* templateObj, uint32_t len)
{
@ -626,26 +631,17 @@ class TypedArrayObjectTemplate : public TypedArrayObject
NewObjectKind newKind = GenericObject;
void* buf = nullptr;
if (!fitsInline) {
buf = allocateTypedArrayElementsBuffer(cx, len);
if (!buf)
return nullptr;
}
RootedObject tmp(cx, NewObjectWithGroup<TypedArrayObject>(cx, group, allocKind, newKind));
if (!tmp)
return nullptr;
void* buf = nullptr;
if (!fitsInline && len > 0) {
buf = js::AllocateObjectBuffer<NativeType>(cx, len);
//buf = cx->runtime()->pod_callocCanGC<HeapSlot>(len);
if (!buf) {
ReportOutOfMemory(cx);
return nullptr;
}
memset(buf, 0, nbytes);
Nursery& nursery = cx->runtime()->gc.nursery;
if (!nursery.isInside(buf))
newKind = TenuredObject;
}
TypedArrayObject* obj = &tmp->as<TypedArrayObject>();
initTypedArraySlots(obj, len, buf, allocKind);
@ -1255,11 +1251,11 @@ TypedArrayObject::GetTemplateObjectForNative(JSContext* cx, Native native, uint3
if (native == &TypedArrayObjectTemplate<T>::class_constructor) { \
size_t nbytes; \
if (!js::CalculateAllocSize<T>(len, &nbytes)) \
return true; \
return false; \
\
if (nbytes < TypedArrayObject::SINGLETON_BYTE_LENGTH) { \
res.set(TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len)); \
return true; \
return !!res; \
} \
}
JS_FOR_EACH_TYPED_ARRAY(CHECK_TYPED_ARRAY_CONSTRUCTOR)

2
js/src/vm/TypedArrayObject.h
Просмотреть файл

@ -31,8 +31,6 @@ typedef struct JSProperty JSProperty;
namespace js {
enum class TypedArrayLength { Fixed, Dynamic };
/*
* TypedArrayObject
*