[INFER] Use type barriers for NAME accesses on scripts whose types have been purged, bug 663138.

2024-09-13 09:24:08 -07:00 · 2011-09-01 12:36:42 -07:00 · 2011-09-01 12:36:42 -07:00 · 736384af84
commit 736384af84
parent 3e0ad0ceba
3 changed files with 10 additions and 2 deletions
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@ -643,6 +643,7 @@ JSCompartment::sweep(JSContext *cx, uint32 releaseInterval)
                    if (discardScripts) {
                        script->types->destroy();
                        script->types = NULL;
+                        script->typesPurged = true;
                    }
                }
            }
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@ -3547,10 +3547,16 @@ ScriptAnalysis::analyzeTypesBytecode(JSContext *cx, unsigned offset,
        TypeSet *seen = bytecodeTypes(pc);
        seen->addSubset(cx, &pushed[0]);

-        /* Try to resolve this name by walking the function's scope nesting. */
+        /*
+         * Try to resolve this name by walking the function's scope nesting.
+         * If we succeed but the accessed script has had its TypeScript purged
+         * in the past, we still must use a type barrier: the name access can
+         * be on a call object which predated the purge, and whose types might
+         * not be reflected in the reconstructed information.
+         */
        jsid id = GetAtomId(cx, script, pc, 0);
        NameAccess access = resolveNameAccess(cx, id);
-        if (access.script) {
+        if (access.script && !access.script->typesPurged) {
            TypeSet *types = TypeScript::SlotTypes(access.script, access.slot);
            types->addSubsetBarrier(cx, script, pc, seen);
        } else {
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@ -525,6 +525,7 @@ struct JSScript {
    bool            createdArgs:1;    /* script has had arguments objects created */
    bool            uninlineable:1;   /* script is considered uninlineable by analysis */
    bool            reentrantOuterFunction:1; /* outer function marked reentrant */
+    bool            typesPurged:1;    /* TypeScript has been purged at some point */
 #ifdef JS_METHODJIT
    bool            debugMode:1;      /* script was compiled in debug mode */
    bool            failedBoundsCheck:1; /* script has had hoisted bounds checks fail */