From f4e85180d04cb19ca8fb64a2bfadd93e8c007dd3 Mon Sep 17 00:00:00 2001 From: "Nicholas D. Matsakis" Date: Thu, 6 Feb 2014 11:14:02 -0500 Subject: [PATCH] Bug 966575 part 4.5 -- Pretenure type descriptors and things they can reach r=sfink --- js/src/builtin/SIMD.cpp | 2 +- js/src/builtin/TypeRepresentation.cpp | 2 +- js/src/builtin/TypedObject.cpp | 17 ++++++++++------- js/src/jsinfer.cpp | 4 ++++ 4 files changed, 16 insertions(+), 9 deletions(-) diff --git a/js/src/builtin/SIMD.cpp b/js/src/builtin/SIMD.cpp index b5fa2b6aabaf..2cd01f70a847 100644 --- a/js/src/builtin/SIMD.cpp +++ b/js/src/builtin/SIMD.cpp @@ -204,7 +204,7 @@ CreateX4Class(JSContext *cx, Handle global) // Create type constructor itself and initialize its reserved slots. Rooted x4(cx); - x4 = NewObjectWithProto(cx, funcProto, global); + x4 = NewObjectWithProto(cx, funcProto, global, TenuredObject); if (!x4 || !InitializeCommonTypeDescriptorProperties(cx, x4, typeReprObj)) return nullptr; x4->initReservedSlot(JS_DESCR_SLOT_TYPE_REPR, ObjectValue(*typeReprObj)); diff --git a/js/src/builtin/TypeRepresentation.cpp b/js/src/builtin/TypeRepresentation.cpp index a09d240ff5ca..86bd470b26fe 100644 --- a/js/src/builtin/TypeRepresentation.cpp +++ b/js/src/builtin/TypeRepresentation.cpp @@ -396,7 +396,7 @@ TypeRepresentation::addToTableOrFree(JSContext *cx, // remove ourselves from the table ourselves and report an error. RootedObject ownerObject(cx); ownerObject = NewObjectWithGivenProto(cx, &class_, objectProto, - cx->global()); + cx->global(), TenuredObject); if (!ownerObject) { comp->typeReprs.remove(this); js_free(this); diff --git a/js/src/builtin/TypedObject.cpp b/js/src/builtin/TypedObject.cpp index 2b36f0491da4..b99fcf683fee 100644 --- a/js/src/builtin/TypedObject.cpp +++ b/js/src/builtin/TypedObject.cpp @@ -526,7 +526,8 @@ ArrayMetaTypeDescr::create(JSContext *cx, { JS_ASSERT(TypeRepresentation::isOwnerObject(*arrayTypeReprObj)); - Rooted obj(cx, NewObjectWithProto(cx, arrayTypePrototype, nullptr)); + Rooted obj(cx, NewObjectWithProto(cx, arrayTypePrototype, nullptr, + TenuredObject)); if (!obj) return nullptr; obj->initReservedSlot(JS_DESCR_SLOT_TYPE_REPR, @@ -811,10 +812,10 @@ StructMetaTypeDescr::layout(JSContext *cx, // fieldNames : [ string ] // fieldOffsets : { string: integer, ... } // fieldTypes : { string: Type, ... } - RootedObject fieldOffsets( - cx, NewObjectWithProto(cx, nullptr, nullptr)); - RootedObject fieldTypes( - cx, NewObjectWithProto(cx, nullptr, nullptr)); + RootedObject fieldOffsets(cx); + fieldOffsets = NewObjectWithProto(cx, nullptr, nullptr, TenuredObject); + RootedObject fieldTypes(cx); + fieldTypes = NewObjectWithProto(cx, nullptr, nullptr, TenuredObject); for (size_t i = 0; i < typeRepr->fieldCount(); i++) { const StructField &field = typeRepr->field(i); RootedId fieldId(cx, NameToId(field.propertyName)); @@ -858,7 +859,8 @@ StructMetaTypeDescr::create(JSContext *cx, return nullptr; Rooted descr(cx); - descr = NewObjectWithProto(cx, structTypePrototype, nullptr); + descr = NewObjectWithProto(cx, structTypePrototype, nullptr, + TenuredObject); if (!descr) return nullptr; @@ -969,7 +971,8 @@ DefineSimpleTypeDescr(JSContext *cx, RootedObject funcProto(cx, global->getOrCreateFunctionPrototype(cx)); JS_ASSERT(funcProto); - Rooted numFun(cx, NewObjectWithProto(cx, funcProto, global)); + Rooted numFun(cx, NewObjectWithProto(cx, funcProto, global, + TenuredObject)); if (!numFun) return false; diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp index b7a108f8a95c..08997ee0a080 100644 --- a/js/src/jsinfer.cpp +++ b/js/src/jsinfer.cpp @@ -4639,6 +4639,10 @@ TypeObject::addTypedObjectAddendum(JSContext *cx, Handle descr) if (!cx->typeInferenceEnabled()) return true; + // Type descriptors are always pre-tenured. This is both because + // we expect them to live a long time and so that they can be + // safely accessed during ion compilation. + JS_ASSERT(!IsInsideNursery(cx->runtime(), descr)); JS_ASSERT(descr); if (flags() & OBJECT_FLAG_ADDENDUM_CLEARED)