mirror of
https://gitlab.winehq.org/wine/wine-gecko.git
synced 2024-09-13 09:24:08 -07:00
[INFER] Use type barriers for NAME accesses on scripts whose types have been purged, bug 663138.
This commit is contained in:
parent
3e0ad0ceba
commit
736384af84
@ -643,6 +643,7 @@ JSCompartment::sweep(JSContext *cx, uint32 releaseInterval)
|
||||
if (discardScripts) {
|
||||
script->types->destroy();
|
||||
script->types = NULL;
|
||||
script->typesPurged = true;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -3547,10 +3547,16 @@ ScriptAnalysis::analyzeTypesBytecode(JSContext *cx, unsigned offset,
|
||||
TypeSet *seen = bytecodeTypes(pc);
|
||||
seen->addSubset(cx, &pushed[0]);
|
||||
|
||||
/* Try to resolve this name by walking the function's scope nesting. */
|
||||
/*
|
||||
* Try to resolve this name by walking the function's scope nesting.
|
||||
* If we succeed but the accessed script has had its TypeScript purged
|
||||
* in the past, we still must use a type barrier: the name access can
|
||||
* be on a call object which predated the purge, and whose types might
|
||||
* not be reflected in the reconstructed information.
|
||||
*/
|
||||
jsid id = GetAtomId(cx, script, pc, 0);
|
||||
NameAccess access = resolveNameAccess(cx, id);
|
||||
if (access.script) {
|
||||
if (access.script && !access.script->typesPurged) {
|
||||
TypeSet *types = TypeScript::SlotTypes(access.script, access.slot);
|
||||
types->addSubsetBarrier(cx, script, pc, seen);
|
||||
} else {
|
||||
|
@ -525,6 +525,7 @@ struct JSScript {
|
||||
bool createdArgs:1; /* script has had arguments objects created */
|
||||
bool uninlineable:1; /* script is considered uninlineable by analysis */
|
||||
bool reentrantOuterFunction:1; /* outer function marked reentrant */
|
||||
bool typesPurged:1; /* TypeScript has been purged at some point */
|
||||
#ifdef JS_METHODJIT
|
||||
bool debugMode:1; /* script was compiled in debug mode */
|
||||
bool failedBoundsCheck:1; /* script has had hoisted bounds checks fail */
|
||||
|
Loading…
Reference in New Issue
Block a user