зеркало из https://github.com/mozilla/gecko-dev.git
Bug 945453 - Postbarrier JIT-code writes to arguments objects r=terrence r=djvj
This commit is contained in:
Родитель
ce39dc2f53
Коммит
9b1330b3b0
|
@ -10,6 +10,7 @@
|
||||||
|
|
||||||
#include "mozilla/Assertions.h"
|
#include "mozilla/Assertions.h"
|
||||||
|
|
||||||
|
#include "vm/ArgumentsObject.h"
|
||||||
#include "vm/ForkJoin.h"
|
#include "vm/ForkJoin.h"
|
||||||
|
|
||||||
#include "jsgcinlines.h"
|
#include "jsgcinlines.h"
|
||||||
|
@ -64,7 +65,11 @@ StoreBuffer::WholeCellEdges::mark(JSTracer *trc)
|
||||||
JS_ASSERT(tenured->isTenured());
|
JS_ASSERT(tenured->isTenured());
|
||||||
JSGCTraceKind kind = GetGCThingTraceKind(tenured);
|
JSGCTraceKind kind = GetGCThingTraceKind(tenured);
|
||||||
if (kind <= JSTRACE_OBJECT) {
|
if (kind <= JSTRACE_OBJECT) {
|
||||||
MarkChildren(trc, static_cast<JSObject *>(tenured));
|
JSObject *object = static_cast<JSObject *>(tenured);
|
||||||
|
if (object->is<ArgumentsObject>())
|
||||||
|
ArgumentsObject::trace(trc, object);
|
||||||
|
else
|
||||||
|
MarkChildren(trc, object);
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
#ifdef JS_ION
|
#ifdef JS_ION
|
||||||
|
|
|
@ -2343,6 +2343,26 @@ BaselineCompiler::emitFormalArgAccess(uint32_t arg, bool get)
|
||||||
} else {
|
} else {
|
||||||
masm.patchableCallPreBarrier(argAddr, MIRType_Value);
|
masm.patchableCallPreBarrier(argAddr, MIRType_Value);
|
||||||
storeValue(frame.peek(-1), argAddr, R0);
|
storeValue(frame.peek(-1), argAddr, R0);
|
||||||
|
|
||||||
|
#ifdef JSGC_GENERATIONAL
|
||||||
|
// Fully sync the stack if post-barrier is needed.
|
||||||
|
frame.syncStack(0);
|
||||||
|
|
||||||
|
// Reload the arguments object
|
||||||
|
Register reg = R2.scratchReg();
|
||||||
|
masm.loadPtr(Address(BaselineFrameReg, BaselineFrame::reverseOffsetOfArgsObj()), reg);
|
||||||
|
|
||||||
|
Nursery &nursery = cx->runtime()->gcNursery;
|
||||||
|
Label skipBarrier;
|
||||||
|
Label isTenured;
|
||||||
|
masm.branchPtr(Assembler::Below, reg, ImmWord(nursery.start()), &isTenured);
|
||||||
|
masm.branchPtr(Assembler::Below, reg, ImmWord(nursery.heapEnd()), &skipBarrier);
|
||||||
|
|
||||||
|
masm.bind(&isTenured);
|
||||||
|
masm.call(&postBarrierSlot_);
|
||||||
|
|
||||||
|
masm.bind(&skipBarrier);
|
||||||
|
#endif
|
||||||
}
|
}
|
||||||
|
|
||||||
masm.bind(&done);
|
masm.bind(&done);
|
||||||
|
|
|
@ -9111,7 +9111,10 @@ IonBuilder::jsop_setarg(uint32_t arg)
|
||||||
// If an arguments object is in use, and it aliases formals, then all SETARGs
|
// If an arguments object is in use, and it aliases formals, then all SETARGs
|
||||||
// must go through the arguments object.
|
// must go through the arguments object.
|
||||||
if (info().argsObjAliasesFormals()) {
|
if (info().argsObjAliasesFormals()) {
|
||||||
current->add(MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(), GET_SLOTNO(pc), val));
|
if (NeedsPostBarrier(info(), val))
|
||||||
|
current->add(MPostWriteBarrier::New(alloc(), current->argumentsObject(), val));
|
||||||
|
current->add(MSetArgumentsObjectArg::New(alloc(), current->argumentsObject(),
|
||||||
|
GET_SLOTNO(pc), val));
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Загрузка…
Ссылка в новой задаче