mozilla
/
gecko-dev
зеркало из https://github.com/mozilla/gecko-dev.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Bug 1824051 - Fix loading class and cOps and ensure we check for null r=iain 

Fairly straightforward patch. I didn't add a test for this specifically,
because it turns out the previous tests would have been failing if I had just
correctly loaded the JSClass out of the BaseShape in the first place because
PlainObject has null class ops. We were just actually loading the proto
pointer before off the BaseShape, and then loading an offset from that which
just happened to usually be non-null, causing us to take the more conservative
path.

Depends on D185350

Differential Revision: https://phabricator.services.mozilla.com/D186170
This commit is contained in:
Doug Thayer 2023-08-15 21:51:10 +00:00
Родитель 33f20e49a0
Коммит ac1cf29992
1 изменённых файлов: 7 добавлений и 4 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

11
js/src/jit/MacroAssembler.cpp
Просмотреть файл

@ -4605,23 +4605,26 @@ void MacroAssembler::branchTestObjectNeedsProxyResultValidation(
MOZ_ASSERT(cond == Assembler::Zero || cond == Assembler::NonZero);
Label done;
Label* needsValidation = cond == NonZero ? label : &done;
Label* doValidation = cond == NonZero ? label : &done;
Label* skipValidation = cond == NonZero ? &done : label;
loadPtr(Address(obj, JSObject::offsetOfShape()), scratch);
branchTest32(Assembler::Zero,
Address(scratch, Shape::offsetOfImmutableFlags()),
Imm32(Shape::isNativeBit()), needsValidation);
Imm32(Shape::isNativeBit()), doValidation);
static_assert(sizeof(ObjectFlags) == sizeof(uint16_t));
load16ZeroExtend(Address(scratch, Shape::offsetOfObjectFlags()), scratch);
branchTest32(Assembler::NonZero, scratch,
Imm32(uint32_t(ObjectFlag::NeedsProxyGetSetResultValidation)),
needsValidation);
doValidation);
loadPtr(Address(obj, JSObject::offsetOfShape()), scratch);
loadPtr(Address(scratch, Shape::offsetOfBaseShape()), scratch);
loadPtr(Address(scratch, BaseShape::offsetOfClasp()), scratch);
loadPtr(Address(scratch, offsetof(JSClass, cOps)), scratch);
branchTestPtr(Assembler::Zero, scratch, scratch, skipValidation);
loadPtr(Address(scratch, offsetof(JSClassOps, resolve)), scratch);
branchTestPtr(Assembler::NonZero, scratch, scratch, needsValidation);
branchTestPtr(Assembler::NonZero, scratch, scratch, doValidation);
bind(&done);
}