Bug 935952 - Clean up TypeObjectKey property interface to avoid querying objects with unknown properties, r=jandem.

2024-09-13 09:24:08 -07:00 · 2013-11-08 08:56:10 -07:00 · 2013-11-08 08:56:10 -07:00 · 03994c3d95
commit 03994c3d95
parent f2ff499ef7
4 changed files with 29 additions and 15 deletions
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@ -5974,10 +5974,13 @@ IonBuilder::testSingletonProperty(JSObject *obj, PropertyName *name)
            return nullptr;

        types::TypeObjectKey *objType = types::TypeObjectKey::get(obj);
+        if (context())
+            objType->ensureTrackedProperty(context(), NameToId(name));
+
        if (objType->unknownProperties())
            return nullptr;

-        types::HeapTypeSetKey property = objType->property(NameToId(name), context());
+        types::HeapTypeSetKey property = objType->property(NameToId(name));
        if (property.isOwnProperty(constraints())) {
            if (obj->hasSingletonType())
                return property.singleton(constraints());
@ -6049,10 +6052,12 @@ IonBuilder::testSingletonPropertyTypes(MDefinition *obj, JSObject *singleton, Pr
            types::TypeObjectKey *object = types->getObject(i);
            if (!object)
                continue;
+            if (context())
+                object->ensureTrackedProperty(context(), NameToId(name));

            if (object->unknownProperties())
                return false;
-            types::HeapTypeSetKey property = object->property(NameToId(name), context());
+            types::HeapTypeSetKey property = object->property(NameToId(name));
            if (property.isOwnProperty(constraints()))
                return false;

@ -6187,12 +6192,15 @@ IonBuilder::getStaticName(JSObject *staticObject, PropertyName *name, bool *psuc
    }

    types::TypeObjectKey *staticType = types::TypeObjectKey::get(staticObject);
+    if (context())
+        staticType->ensureTrackedProperty(context(), NameToId(name));
+
    if (staticType->unknownProperties()) {
        *psucceeded = false;
        return true;
    }

-    types::HeapTypeSetKey property = staticType->property(id, context());
+    types::HeapTypeSetKey property = staticType->property(id);
    if (!property.maybeTypes() ||
        !property.maybeTypes()->definiteProperty() ||
        property.configured(constraints(), staticType))
--- a/js/src/jit/MIR.cpp
+++ b/js/src/jit/MIR.cpp
@ -2928,8 +2928,11 @@ jit::PropertyReadNeedsTypeBarrier(JSContext *propertycx,
                break;

            types::TypeObjectKey *typeObj = types::TypeObjectKey::get(obj);
+            if (propertycx)
+                typeObj->ensureTrackedProperty(propertycx, NameToId(name));
+
            if (!typeObj->unknownProperties()) {
-                types::HeapTypeSetKey property = typeObj->property(NameToId(name), propertycx);
+                types::HeapTypeSetKey property = typeObj->property(NameToId(name));
                if (property.maybeTypes()) {
                    types::TypeSet::TypeList types;
                    if (!property.maybeTypes()->enumerateTypes(&types))
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@ -827,7 +827,7 @@ TypeObjectKey::unknownProperties()
 }

 HeapTypeSetKey
-TypeObjectKey::property(jsid id, JSContext *maybecx /* = nullptr */)
+TypeObjectKey::property(jsid id)
 {
    JS_ASSERT(!unknownProperties());

@ -837,22 +837,24 @@ TypeObjectKey::property(jsid id, JSContext *maybecx /* = nullptr */)
    if (TypeObject *type = maybeType())
        property.maybeTypes_ = type->maybeGetProperty(id);

+    return property;
+}
+
+void
+TypeObjectKey::ensureTrackedProperty(JSContext *cx, jsid id)
+{
 #ifdef JS_ION
    // If we are accessing a lazily defined property which actually exists in
    // the VM and has not been instantiated yet, instantiate it now if we are
    // on the main thread and able to do so.
-    if (maybecx && !property.maybeTypes() && !JSID_IS_VOID(id) && !JSID_IS_EMPTY(id)) {
-        JS_ASSERT(CurrentThreadCanAccessRuntime(maybecx->runtime()));
-        JSObject *singleton = isSingleObject() ? asSingleObject() : asTypeObject()->singleton;
-        if (singleton && singleton->isNative() && singleton->nativeLookupPure(id)) {
-            EnsureTrackPropertyTypes(maybecx, singleton, id);
-            if (TypeObject *type = maybeType())
-                property.maybeTypes_ = type->maybeGetProperty(id);
+    if (!JSID_IS_VOID(id) && !JSID_IS_EMPTY(id)) {
+        JS_ASSERT(CurrentThreadCanAccessRuntime(cx->runtime()));
+        if (JSObject *obj = singleton()) {
+            if (obj->isNative() && obj->nativeLookupPure(id))
+                EnsureTrackPropertyTypes(cx, obj, id);
        }
    }
 #endif // JS_ION
-
-    return property;
 }

 bool
--- a/js/src/jsinfer.h
+++ b/js/src/jsinfer.h
@ -1257,7 +1257,8 @@ struct TypeObjectKey
    void watchStateChangeForInlinedCall(CompilerConstraintList *constraints);
    void watchStateChangeForNewScriptTemplate(CompilerConstraintList *constraints);
    void watchStateChangeForTypedArrayBuffer(CompilerConstraintList *constraints);
-    HeapTypeSetKey property(jsid id, JSContext *maybecx = nullptr);
+    HeapTypeSetKey property(jsid id);
+    void ensureTrackedProperty(JSContext *cx, jsid id);

    TypeObject *maybeType();
 };