From 94b5cf539fe2e90c1f466ad222a684c8456a5873 Mon Sep 17 00:00:00 2001 From: Jan de Mooij Date: Thu, 24 May 2018 12:02:53 +0200 Subject: [PATCH] Bug 1461938 part 31 - Move detachedTypedObjects flag to JS::Zone. r=jwalden --- js/src/gc/Zone.h | 7 +++++++ js/src/jit/CacheIR.cpp | 11 +++++------ js/src/jit/CacheIRCompiler.cpp | 10 +++++----- js/src/vm/ArrayBufferObject.cpp | 6 +++--- js/src/vm/JSCompartment.cpp | 1 - js/src/vm/JSCompartment.h | 4 ---- 6 files changed, 20 insertions(+), 19 deletions(-) diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h index 25e36370d21a..d6fdfcf857b7 100644 --- a/js/src/gc/Zone.h +++ b/js/src/gc/Zone.h @@ -698,6 +698,13 @@ struct Zone : public JS::shadow::Zone, return p; } + // Non-zero if the storage underlying any typed object in this zone might + // be detached. This is stored in Zone because IC stubs bake in a pointer + // to this field and Baseline IC code is shared across realms within a + // Zone. Furthermore, it's not entirely clear if this flag is ever set to + // a non-zero value since bug 1458011. + uint32_t detachedTypedObjects = 0; + private: js::ZoneData jitZone_; diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp index c32529d64260..f4d072df160e 100644 --- a/js/src/jit/CacheIR.cpp +++ b/js/src/jit/CacheIR.cpp @@ -1604,7 +1604,7 @@ GetPropIRGenerator::tryAttachTypedObject(HandleObject obj, ObjOperandId objId, H if (!obj->is()) return false; - if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->compartment()->detachedTypedObjects) + if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->zone()->detachedTypedObjects) return false; TypedObject* typedObj = &obj->as(); @@ -2070,7 +2070,7 @@ GetPropIRGenerator::tryAttachTypedElement(HandleObject obj, ObjOperandId objId, // Don't attach typed object stubs if the underlying storage could be // detached, as the stub will always bail out. - if (IsPrimitiveArrayTypedObject(obj) && cx_->compartment()->detachedTypedObjects) + if (IsPrimitiveArrayTypedObject(obj) && cx_->zone()->detachedTypedObjects) return false; TypedThingLayout layout = GetTypedThingLayout(obj->getClass()); @@ -3296,7 +3296,7 @@ SetPropIRGenerator::tryAttachTypedObjectProperty(HandleObject obj, ObjOperandId if (!obj->is()) return false; - if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->compartment()->detachedTypedObjects) + if (!cx_->runtime()->jitSupportsFloatingPoint || cx_->zone()->detachedTypedObjects) return false; if (!obj->as().typeDescr().is()) @@ -3690,9 +3690,8 @@ SetPropIRGenerator::tryAttachSetTypedElement(HandleObject obj, ObjOperandId objI return false; // Don't attach stubs if the underlying storage for typed objects - // in the compartment could be detached, as the stub will always - // bail out. - if (cx_->compartment()->detachedTypedObjects) + // in the zone could be detached, as the stub will always bail out. + if (cx_->zone()->detachedTypedObjects) return false; } diff --git a/js/src/jit/CacheIRCompiler.cpp b/js/src/jit/CacheIRCompiler.cpp index bf6330b3f1b1..da18ddf83cd8 100644 --- a/js/src/jit/CacheIRCompiler.cpp +++ b/js/src/jit/CacheIRCompiler.cpp @@ -1648,10 +1648,10 @@ CacheIRCompiler::emitGuardNoDetachedTypedObjects() if (!addFailurePath(&failure)) return false; - // All stubs manipulating typed objects must check the compartment-wide - // flag indicating whether their underlying storage might be detached, to - // bail out if needed. - int32_t* address = &cx_->compartment()->detachedTypedObjects; + // All stubs manipulating typed objects must check the zone-wide flag + // indicating whether their underlying storage might be detached, to bail + // out if needed. + uint32_t* address = &cx_->zone()->detachedTypedObjects; masm.branch32(Assembler::NotEqual, AbsoluteAddress(address), Imm32(0), failure->label()); return true; } @@ -3142,4 +3142,4 @@ CacheIRCompiler::emitLoadObject() StubFieldOffset obj(reader.stubOffset(), StubField::Type::JSObject); emitLoadStubField(obj, reg); return true; -} \ No newline at end of file +} diff --git a/js/src/vm/ArrayBufferObject.cpp b/js/src/vm/ArrayBufferObject.cpp index 3a2fea6d9260..35e7aff7ae03 100644 --- a/js/src/vm/ArrayBufferObject.cpp +++ b/js/src/vm/ArrayBufferObject.cpp @@ -492,8 +492,8 @@ ArrayBufferObject::detach(JSContext* cx, Handle buffer, // When detaching a buffer with typed object views, any jitcode accessing // such views must be deoptimized so that detachment checks are performed. - // This is done by setting a compartment-wide flag indicating that buffers - // with typed object views have been detached. + // This is done by setting a zone-wide flag indicating that buffers with + // typed object views have been detached. if (buffer->hasTypedObjectViews()) { // Make sure the global object's group has been instantiated, so the // flag change will be observed. @@ -501,7 +501,7 @@ ArrayBufferObject::detach(JSContext* cx, Handle buffer, if (!JSObject::getGroup(cx, cx->global())) oomUnsafe.crash("ArrayBufferObject::detach"); MarkObjectGroupFlags(cx, cx->global(), OBJECT_FLAG_TYPED_OBJECT_HAS_DETACHED_BUFFER); - cx->compartment()->detachedTypedObjects = 1; + cx->zone()->detachedTypedObjects = 1; } // Update all views of the buffer to account for the buffer having been diff --git a/js/src/vm/JSCompartment.cpp b/js/src/vm/JSCompartment.cpp index 2e4e85c4c177..7be30a214773 100644 --- a/js/src/vm/JSCompartment.cpp +++ b/js/src/vm/JSCompartment.cpp @@ -46,7 +46,6 @@ JSCompartment::JSCompartment(Zone* zone) runtime_(zone->runtimeFromAnyThread()), data(nullptr), regExps(), - detachedTypedObjects(0), innerViews(zone), gcIncomingGrayPointers(nullptr), enumerators(nullptr) diff --git a/js/src/vm/JSCompartment.h b/js/src/vm/JSCompartment.h index ffe77aa70991..4b50c6363507 100644 --- a/js/src/vm/JSCompartment.h +++ b/js/src/vm/JSCompartment.h @@ -597,10 +597,6 @@ struct JSCompartment js::SystemAllocPolicy>; IteratorCache iteratorCache; - // Non-zero if the storage underlying any typed object in this compartment - // might be detached. - int32_t detachedTypedObjects; - // Recompute the probability with which this compartment should record // profiling data (stack traces, allocations log, etc.) about each // allocation. We consult the probabilities requested by the Debugger