зеркало из https://github.com/mozilla/gecko-dev.git
Bug 1174712 - Tolerate singleton objects with uncacheable prototypes in Ion caches, r=jandem.
This commit is contained in:
Brian Hackett
Родитель
90ee9d633a
Коммит
abdda6fd96
|
|
@ -424,11 +424,17 @@ GeneratePrototypeGuards(JSContext* cx, IonScript* ion, MacroAssembler& masm, JSO
|
||||||
return;
|
return;
|
||||||
while (pobj != holder) {
|
while (pobj != holder) {
|
||||||
if (pobj->hasUncacheableProto()) {
|
if (pobj->hasUncacheableProto()) {
|
||||||
MOZ_ASSERT(!pobj->isSingleton());
|
|
||||||
masm.movePtr(ImmGCPtr(pobj), scratchReg);
|
masm.movePtr(ImmGCPtr(pobj), scratchReg);
|
||||||
Address groupAddr(scratchReg, JSObject::offsetOfGroup());
|
Address groupAddr(scratchReg, JSObject::offsetOfGroup());
|
||||||
|
if (pobj->isSingleton()) {
|
||||||
|
// Singletons can have their group's |proto| mutated directly.
|
||||||
|
masm.loadPtr(groupAddr, scratchReg);
|
||||||
|
Address protoAddr(scratchReg, ObjectGroup::offsetOfProto());
|
||||||
|
masm.branchPtr(Assembler::NotEqual, protoAddr, ImmGCPtr(pobj->getProto()), failures);
|
||||||
|
} else {
|
||||||
masm.branchPtr(Assembler::NotEqual, groupAddr, ImmGCPtr(pobj->group()), failures);
|
masm.branchPtr(Assembler::NotEqual, groupAddr, ImmGCPtr(pobj->group()), failures);
|
||||||
}
|
}
|
||||||
|
}
|
||||||
pobj = pobj->getProto();
|
pobj = pobj->getProto();
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче