If an interrupt occurs during regexp execution, we return up the stack to RegExpShared::execute to handle it, then try again. Normally it's safe (if slow) to GC and discard jitcode at this point, because we can fall back to interpreted bytecode (which is not discarded). However, if the input string is long enough, then we [jump straight to compilation without producing bytecode](https://searchfox.org/mozilla-central/rev/7067bbd8194f4346ec59d77c33cd88f06763e090/js/src/vm/RegExpObject.cpp#590-596). In that case, when we resume, we will have neither bytecode nor jitcode, and end up dereferencing a null pointer.
The fix is to recompile after handling the interrupt. In addition to fixing the crash, forcing compilation here should improve our chance of eventual success (compared to resuming in the regexp interpreter).
Differential Revision: https://phabricator.services.mozilla.com/D104479
This was used to ensure no cross-compartment objects were embedded by
ShapeGuardProtoChain (used for the property-not-found case) but that's no longer
an issue because ShapeGuardProtoChain only does shape guards now.
Note: for the property-found case, the cross-compartment issue still applies but
that's handled by SlotReadType::CrossCompartment.
Differential Revision: https://phabricator.services.mozilla.com/D107420
We already peeled off the receiver for non-delegates (= most objects) but we can
do this for delegates too.
Depends on D107418
Differential Revision: https://phabricator.services.mozilla.com/D107419
Eagerly marking prototypes as delegate resulted in a lot of unnecessary shadowing
checks and reshaping when initializing the properties of those objects. This is
a regression from bug 724768.
It's more efficient, simpler, and consistent with JS-defined objects to mark
objects as delegate when they become the prototype of another object.
This removes the check for delegates in EmptyShape::ensureInitialCustomShape. That
should be fine because the only object it applies to is String.prototype and it
doesn't affect correctness. (RegExp and Error prototypes are plain objects since
bug 1213341 and bug 1192038 so don't show up there anyway.)
Depends on D107417
Differential Revision: https://phabricator.services.mozilla.com/D107418
This goes back to bug 787856 but dynamic prototypes don't need to be marked as
delegate, because shape teleporting and JITs don't optimize those prototype chains.
Other proxy handlers such as ScriptedProxyHandler, ForwardingProxyHandler, Xrays
don't do this so this is also more consistent.
Depends on D107416
Differential Revision: https://phabricator.services.mozilla.com/D107417
This goes back to when shape teleporting was used for environment chains too.
See also bug 1608034 where we made this change for (other) environment objects.
The global has a lot of properties and this avoids doing unnecessary work to
invalidate teleporting.
Add Object.prototype to the test-JSObject GDB test so that we still have a test for
the delegate flag.
Differential Revision: https://phabricator.services.mozilla.com/D107416
Removes parse handler methods which are never called and were only defined in
one but not the other parse handler.
Depends on D107330
Differential Revision: https://phabricator.services.mozilla.com/D107331
Support for `nullptr` context was added in bug 1229642 for the SPSProfiler. This
code is no longer present, so we can require a non-nullptr context in
CharsToNewUTF8CharsZ again.
Depends on D107473
Differential Revision: https://phabricator.services.mozilla.com/D107474
Subsequent patches move other XDR functions into StencilXDR.
To avoid name collision between method and type name, prepend `code` to method.
Also reorder to match the field order.
Differential Revision: https://phabricator.services.mozilla.com/D105912
If we use `arguments` in a loop, the transpiled `GuardToObject` sees a value-typed phi node and emits an MUnbox. GVN eventually cleans it up, but not before it blocks scalar replacement of arguments.
(Something similar seems to be happening in escape analysis for arrays and objects. I'm going to do a more systematic investigation of whether/how Warp broke escape analysis for objects and arrays once I'm done with arguments.)
Depends on D107304
Differential Revision: https://phabricator.services.mozilla.com/D107305
Per conversations with Bas, we want the behavior for slow extensions to match
that of slow content scripts WRT requiring user input. The test change is less
than great, but I don't think we have the ability to simulate input in
mochitests without running JS in the content process? But correct me if I'm
wrong.
Differential Revision: https://phabricator.services.mozilla.com/D107521
Iain Ireland
Jan de Mooij
André Bargull
Tooru Fujisawa
Doug Thayer
Butkovits Atila