Backed out changeset 8f3feee73843 (bug 1279992) for browser_pdfjs_main.js crashes on a CLOSED TREE.

2016-07-21 14:41:49 -04:00 · 2016-07-21 14:41:49 -04:00 · 76cac2b034
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@ -5502,12 +5502,8 @@ GetTemplateObjectForNative(JSContext* cx, HandleFunction target, const CallArgs&
        }
    }
-    if (args.length() == 1) {
+    if (args.length() == 1 && args[0].isInt32() && args[0].toInt32() >= 0) {
-        size_t len = 0;
+        uint32_t len = args[0].toInt32();
        if (args[0].isInt32() && args[0].toInt32() >= 0)
            len = args[0].toInt32();
        if (TypedArrayObject::GetTemplateObjectForNative(cx, native, len, res))
            return !!res;
    }
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@ -5440,34 +5440,7 @@ CodeGenerator::visitNewTypedArray(LNewTypedArray* lir)
    masm.createGCObject(objReg, tempReg, templateObject, initialHeap,
                        ool->entry(), /*initContents*/true, /*convertDoubleElements*/false);
-    masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(),
+    masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(), ttemplate);
                             ttemplate, TypedArrayLength::Fixed);
    masm.bind(ool->rejoin());
 }
 void
 CodeGenerator::visitNewTypedArrayDynamicLength(LNewTypedArrayDynamicLength* lir)
 {
    Register lengthReg = ToRegister(lir->length());
    Register objReg = ToRegister(lir->output());
    Register tempReg = ToRegister(lir->temp());
    LiveRegisterSet liveRegs = lir->safepoint()->liveRegs();
    JSObject* templateObject = lir->mir()->templateObject();
    gc::InitialHeap initialHeap = lir->mir()->initialHeap();
    TypedArrayObject* ttemplate = &templateObject->as<TypedArrayObject>();
    OutOfLineCode* ool = oolCallVM(TypedArrayConstructorOneArgInfo, lir,
                                   ArgList(ImmGCPtr(templateObject), lengthReg),
                                   StoreRegisterTo(objReg));
    masm.createGCObject(objReg, tempReg, templateObject, initialHeap,
                        ool->entry(), /*initContents*/true, /*convertDoubleElements*/false);
    masm.initTypedArraySlots(objReg, tempReg, lengthReg, liveRegs, ool->entry(),
                             ttemplate, TypedArrayLength::Dynamic);
    masm.bind(ool->rejoin());
 }
--- a/js/src/jit/CodeGenerator.h
+++ b/js/src/jit/CodeGenerator.h
@ -195,7 +195,6 @@ class CodeGenerator final : public CodeGeneratorSpecific
    void visitNewArrayCopyOnWrite(LNewArrayCopyOnWrite* lir);
    void visitNewArrayDynamicLength(LNewArrayDynamicLength* lir);
    void visitNewTypedArray(LNewTypedArray* lir);
    void visitNewTypedArrayDynamicLength(LNewTypedArrayDynamicLength* lir);
    void visitNewObjectVMCall(LNewObject* lir);
    void visitNewObject(LNewObject* lir);
    void visitOutOfLineNewObject(OutOfLineNewObject* ool);
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@ -247,17 +247,6 @@ LIRGenerator::visitNewTypedArray(MNewTypedArray* ins)
    assignSafepoint(lir, ins);
 }
 void
 LIRGenerator::visitNewTypedArrayDynamicLength(MNewTypedArrayDynamicLength* ins)
 {
    MDefinition* length = ins->length();
    MOZ_ASSERT(length->type() == MIRType::Int32);
    LNewTypedArrayDynamicLength* lir = new(alloc()) LNewTypedArrayDynamicLength(useRegister(length), temp());
    define(lir, ins);
    assignSafepoint(lir, ins);
 }
 void
 LIRGenerator::visitNewObject(MNewObject* ins)
 {
--- a/js/src/jit/Lowering.h
+++ b/js/src/jit/Lowering.h
@ -75,7 +75,6 @@ class LIRGenerator : public LIRGeneratorSpecific
    void visitNewArrayCopyOnWrite(MNewArrayCopyOnWrite* ins);
    void visitNewArrayDynamicLength(MNewArrayDynamicLength* ins);
    void visitNewTypedArray(MNewTypedArray* ins);
    void visitNewTypedArrayDynamicLength(MNewTypedArrayDynamicLength* ins);
    void visitNewObject(MNewObject* ins);
    void visitNewTypedObject(MNewTypedObject* ins);
    void visitNewDeclEnvObject(MNewDeclEnvObject* ins);
--- a/js/src/jit/MCallOptimize.cpp
+++ b/js/src/jit/MCallOptimize.cpp
@ -2302,6 +2302,9 @@ IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
    if (arg->type() != MIRType::Int32)
        return InliningStatus_NotInlined;
    if (!arg->maybeConstantValue())
        return InliningStatus_NotInlined;
    JSObject* templateObject = inspector->getTemplateObjectForNative(pc, native);
    if (!templateObject) {
@ -2317,30 +2320,22 @@ IonBuilder::inlineTypedArray(CallInfo& callInfo, Native native)
    if (templateObject->isSingleton())
        return InliningStatus_NotInlined;
-    MInstruction* ins = nullptr;
+    // Negative lengths must throw a RangeError.  (We don't track that this
    // might have previously thrown, when determining whether to inline, so we
    // have to deal with this error case when inlining.)
    int32_t providedLen = arg->maybeConstantValue()->toInt32();
    if (providedLen < 0)
        return InliningStatus_NotInlined;
-    if (!arg->isConstant()) {
+    uint32_t len = AssertedCast<uint32_t>(providedLen);
        callInfo.setImplicitlyUsedUnchecked();
        ins = MNewTypedArrayDynamicLength::New(alloc(), constraints(), templateObject,
                                               templateObject->group()->initialHeap(constraints()),
                                               arg);
    } else {
        // Negative lengths must throw a RangeError.  (We don't track that this
        // might have previously thrown, when determining whether to inline, so we
        // have to deal with this error case when inlining.)
        int32_t providedLen = arg->maybeConstantValue()->toInt32();
        if (providedLen < 0)
            return InliningStatus_NotInlined;
-        uint32_t len = AssertedCast<uint32_t>(providedLen);
+    if (obj->length() != len)
        return InliningStatus_NotInlined;
-        if (obj->length() != len)
+    callInfo.setImplicitlyUsedUnchecked();
            return InliningStatus_NotInlined;
-        callInfo.setImplicitlyUsedUnchecked();
+    MInstruction* ins = MNewTypedArray::New(alloc(), constraints(), obj,
-        ins = MNewTypedArray::New(alloc(), constraints(), obj,
+                                            obj->group()->initialHeap(constraints()));
                                  obj->group()->initialHeap(constraints()));
    }
    current->add(ins);
    current->push(ins);
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@ -3333,50 +3333,6 @@ class MNewTypedArray : public MNullaryInstruction
    }
 };
 class MNewTypedArrayDynamicLength
  : public MUnaryInstruction,
    public IntPolicy<0>::Data
 {
    CompilerObject templateObject_;
    gc::InitialHeap initialHeap_;
    MNewTypedArrayDynamicLength(CompilerConstraintList* constraints, JSObject* templateObject,
                           gc::InitialHeap initialHeap, MDefinition* length)
      : MUnaryInstruction(length),
        templateObject_(templateObject),
        initialHeap_(initialHeap)
    {
        setGuard(); // Need to throw if length is negative.
        setResultType(MIRType::Object);
        if (!templateObject->isSingleton())
            setResultTypeSet(MakeSingletonTypeSet(constraints, templateObject));
    }
  public:
    INSTRUCTION_HEADER(NewTypedArrayDynamicLength)
    static MNewTypedArrayDynamicLength* New(TempAllocator& alloc, CompilerConstraintList* constraints,
                                            JSObject* templateObject, gc::InitialHeap initialHeap,
                                            MDefinition* length)
    {
        return new(alloc) MNewTypedArrayDynamicLength(constraints, templateObject, initialHeap, length);
    }
    MDefinition* length() const {
        return getOperand(0);
    }
    JSObject* templateObject() const {
        return templateObject_;
    }
    gc::InitialHeap initialHeap() const {
        return initialHeap_;
    }
    virtual AliasSet getAliasSet() const override {
        return AliasSet::None();
    }
 };
 class MNewObject
  : public MUnaryInstruction,
    public NoTypePolicy::Data
--- a/js/src/jit/MOpcodes.h
+++ b/js/src/jit/MOpcodes.h
@ -130,7 +130,6 @@ namespace jit {
    _(NewArrayCopyOnWrite)                                                  \
    _(NewArrayDynamicLength)                                                \
    _(NewTypedArray)                                                        \
    _(NewTypedArrayDynamicLength)                                           \
    _(NewObject)                                                            \
    _(NewTypedObject)                                                       \
    _(NewDeclEnvObject)                                                     \
--- a/js/src/jit/MacroAssembler.cpp
+++ b/js/src/jit/MacroAssembler.cpp
@ -1059,7 +1059,7 @@ JS_FOR_EACH_TYPED_ARRAY(CREATE_TYPED_ARRAY)
 void
 MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register lengthReg,
                                    LiveRegisterSet liveRegs, Label* fail,
-                                    TypedArrayObject* templateObj, TypedArrayLength lengthKind)
+                                    TypedArrayObject* templateObj)
 {
    MOZ_ASSERT(templateObj->hasPrivate());
    MOZ_ASSERT(!templateObj->hasBuffer());
@ -1074,7 +1074,7 @@ MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register length
    int32_t length = templateObj->length();
    size_t nbytes = length * templateObj->bytesPerElement();
-    if (lengthKind == TypedArrayLength::Fixed && dataOffset + nbytes <= JSObject::MAX_BYTE_SIZE) {
+    if (dataOffset + nbytes <= JSObject::MAX_BYTE_SIZE) {
        MOZ_ASSERT(dataOffset + nbytes <= templateObj->tenuredSizeOfThis());
        // Store data elements inside the remaining JSObject slots.
@ -1093,8 +1093,7 @@ MacroAssembler::initTypedArraySlots(Register obj, Register temp, Register length
        for (size_t i = 0; i < numZeroPointers; i++)
            storePtr(ImmWord(0), Address(obj, dataOffset + i * sizeof(char *)));
    } else {
-        if (lengthKind == TypedArrayLength::Fixed)
+        move32(Imm32(length), lengthReg);
            move32(Imm32(length), lengthReg);
        // Allocate a buffer on the heap to store the data elements.
        liveRegs.addUnchecked(temp);
--- a/js/src/jit/MacroAssembler.h
+++ b/js/src/jit/MacroAssembler.h
@ -35,7 +35,6 @@
 #include "jit/VMFunctions.h"
 #include "vm/ProxyObject.h"
 #include "vm/Shape.h"
 #include "vm/TypedArrayObject.h"
 #include "vm/UnboxedObject.h"
 // * How to read/write MacroAssembler method declarations:
@ -1529,7 +1528,7 @@ class MacroAssembler : public MacroAssemblerSpecific
                     bool initContents = true, bool convertDoubleElements = false);
    void initTypedArraySlots(Register obj, Register temp, Register lengthReg,
                             LiveRegisterSet liveRegs, Label* fail,
-                             TypedArrayObject* templateObj, TypedArrayLength lengthKind);
+                             TypedArrayObject* templateObj);
    void initUnboxedObjectContents(Register object, UnboxedPlainObject* templateObject);
--- a/js/src/jit/shared/LIR-shared.h
+++ b/js/src/jit/shared/LIR-shared.h
@ -1084,28 +1084,6 @@ class LNewTypedArray : public LInstructionHelper<1, 0, 2>
    }
 };
 class LNewTypedArrayDynamicLength : public LInstructionHelper<1, 1, 1>
 {
  public:
    LIR_HEADER(NewTypedArrayDynamicLength)
    explicit LNewTypedArrayDynamicLength(const LAllocation& length, const LDefinition& temp) {
        setOperand(0, length);
        setTemp(0, temp);
    }
    const LAllocation* length() {
        return getOperand(0);
    }
    const LDefinition* temp() {
        return getTemp(0);
    }
    MNewTypedArrayDynamicLength* mir() const {
        return mir_->toNewTypedArrayDynamicLength();
    }
 };
 class LNewObject : public LInstructionHelper<1, 0, 1>
 {
  public:
--- a/js/src/jit/shared/LOpcodes-shared.h
+++ b/js/src/jit/shared/LOpcodes-shared.h
@ -68,7 +68,6 @@
    _(NewArrayCopyOnWrite)          \
    _(NewArrayDynamicLength)        \
    _(NewTypedArray)                \
    _(NewTypedArrayDynamicLength)   \
    _(ArraySplice)                  \
    _(NewObject)                    \
    _(NewTypedObject)               \
--- a/js/src/vm/TypedArrayObject.cpp
+++ b/js/src/vm/TypedArrayObject.cpp
@ -43,7 +43,6 @@
 #include "jsatominlines.h"
 #include "gc/Nursery-inl.h"
 #include "gc/StoreBuffer-inl.h"
 #include "vm/ArrayBufferObject-inl.h"
 #include "vm/NativeObject-inl.h"
@ -107,13 +106,6 @@ TypedArrayObject::ensureHasBuffer(JSContext* cx, Handle<TypedArrayObject*> tarra
    // tarray is not shared, because if it were it would have a buffer.
    memcpy(buffer->dataPointer(), tarray->viewDataUnshared(), tarray->byteLength());
    // Free the data slot pointer if has no inline data
    if (!tarray->hasInlineElements() && !cx->runtime()->gc.nursery.isInside(tarray->elements())) {
        js_free(tarray->elements());
        tarray->setInlineElements();
    }
    tarray->setPrivate(buffer->dataPointer());
    tarray->setFixedSlot(TypedArrayObject::BUFFER_SLOT, ObjectValue(*buffer));
@ -170,7 +162,6 @@ TypedArrayObject::objectMovedDuringMinorGC(JSTracer* trc, JSObject* obj, const J
    TypedArrayObject* newObj = &obj->as<TypedArrayObject>();
    const TypedArrayObject* oldObj = &old->as<TypedArrayObject>();
    MOZ_ASSERT(newObj->elements() == oldObj->elements());
    MOZ_ASSERT(obj->isTenured());
    // Typed arrays with a buffer object do not need an update.
    if (oldObj->hasBuffer())
@ -604,6 +595,20 @@ class TypedArrayObjectTemplate : public TypedArrayObject
        }
    }
    static void*
    allocateTypedArrayElementsBuffer(JSContext* cx, uint32_t len)
    {
        if (len == 0)
            return nullptr;
        void* buf = cx->runtime()->pod_callocCanGC<HeapSlot>(len);
        if (!buf) {
            ReportOutOfMemory(cx);
            return nullptr;
        }
        return buf;
    }
    static TypedArrayObject*
    makeTypedArrayWithTemplate(JSContext* cx, TypedArrayObject* templateObj, uint32_t len)
    {
@ -626,26 +631,17 @@ class TypedArrayObjectTemplate : public TypedArrayObject
        NewObjectKind newKind = GenericObject;
        void* buf = nullptr;
        if (!fitsInline) {
            buf = allocateTypedArrayElementsBuffer(cx, len);
            if (!buf)
                return nullptr;
        }
        RootedObject tmp(cx, NewObjectWithGroup<TypedArrayObject>(cx, group, allocKind, newKind));
        if (!tmp)
            return nullptr;
        void* buf = nullptr;
        if (!fitsInline && len > 0) {
            buf = js::AllocateObjectBuffer<NativeType>(cx, len);
            //buf = cx->runtime()->pod_callocCanGC<HeapSlot>(len);
            if (!buf) {
                ReportOutOfMemory(cx);
                return nullptr;
            }
            memset(buf, 0, nbytes);
            Nursery& nursery = cx->runtime()->gc.nursery;
            if (!nursery.isInside(buf))
                newKind = TenuredObject;
        }
        TypedArrayObject* obj = &tmp->as<TypedArrayObject>();
        initTypedArraySlots(obj, len, buf, allocKind);
@ -1255,11 +1251,11 @@ TypedArrayObject::GetTemplateObjectForNative(JSContext* cx, Native native, uint3
    if (native == &TypedArrayObjectTemplate<T>::class_constructor) { \
        size_t nbytes; \
        if (!js::CalculateAllocSize<T>(len, &nbytes)) \
-            return true; \
+            return false; \
        \
        if (nbytes < TypedArrayObject::SINGLETON_BYTE_LENGTH) { \
            res.set(TypedArrayObjectTemplate<T>::makeTemplateObject(cx, len)); \
-            return true; \
+            return !!res; \
        } \
    }
 JS_FOR_EACH_TYPED_ARRAY(CHECK_TYPED_ARRAY_CONSTRUCTOR)
--- a/js/src/vm/TypedArrayObject.h
+++ b/js/src/vm/TypedArrayObject.h
@ -31,8 +31,6 @@ typedef struct JSProperty JSProperty;
 namespace js {
 enum class TypedArrayLength { Fixed, Dynamic };
 /*
 * TypedArrayObject
 *