Bug 1176075 - Add a missing check for nursery objects during Ion compilation, r=jandem.

2024-09-13 09:24:08 -07:00 · 2015-06-24 16:02:04 -07:00 · 2015-06-24 16:02:04 -07:00 · 0978a05809
commit 0978a05809
parent 1dee7937d6
2 changed files with 6 additions and 6 deletions
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@ -12375,17 +12375,16 @@ IonBuilder::jsop_in_dense(JSValueType unboxedType)
    return true;
 }

-static bool
-HasOnProtoChain(CompilerConstraintList* constraints, TypeSet::ObjectKey* key,
-                JSObject* protoObject, bool* hasOnProto)
+bool
+IonBuilder::hasOnProtoChain(TypeSet::ObjectKey* key, JSObject* protoObject, bool* hasOnProto)
 {
    MOZ_ASSERT(protoObject);

    while (true) {
-        if (!key->hasStableClassAndProto(constraints) || !key->clasp()->isNative())
+        if (!key->hasStableClassAndProto(constraints()) || !key->clasp()->isNative())
            return false;

-        JSObject* proto = key->proto().toObjectOrNull();
+        JSObject* proto = checkNurseryObject(key->proto().toObjectOrNull());
        if (!proto) {
            *hasOnProto = false;
            return true;
@ -12429,7 +12428,7 @@ IonBuilder::tryFoldInstanceOf(MDefinition* lhs, JSObject* protoObject)
            continue;

        bool isInstance;
-        if (!HasOnProtoChain(constraints(), key, protoObject, &isInstance))
+        if (!hasOnProtoChain(key, protoObject, &isInstance))
            return false;

        if (isFirst) {
--- a/js/src/jit/IonBuilder.h
+++ b/js/src/jit/IonBuilder.h
@ -616,6 +616,7 @@ class IonBuilder
    MDefinition* addLexicalCheck(MDefinition* input);

    bool tryFoldInstanceOf(MDefinition* lhs, JSObject* protoObject);
+    bool hasOnProtoChain(TypeSet::ObjectKey* key, JSObject* protoObject, bool* hasOnProto);

    bool jsop_add(MDefinition* left, MDefinition* right);
    bool jsop_bitnot();