Back out 356231081116 (bug 1162199) for js::GCMarker::eagerlyMarkChildren crashes

CLOSED TREE
2024-09-13 09:24:08 -07:00 · 2015-05-16 10:38:07 -07:00 · 2015-05-16 10:38:07 -07:00 · 7b334c5554
commit 7b334c5554
parent 456c3d502b
9 changed files with 25 additions and 29 deletions
--- a/js/src/jit/JitOptions.cpp
+++ b/js/src/jit/JitOptions.cpp
@ -161,9 +161,6 @@ JitOptions::JitOptions()

    // The bytecode length limit for small function.
    SET_DEFAULT(smallFunctionMaxBytecodeLength_, 100);
-
-    // Toggles whether unboxed plain objects can be created by the VM.
-    SET_DEFAULT(disableUnboxedObjects, false);
 }

 bool
--- a/js/src/jit/JitOptions.h
+++ b/js/src/jit/JitOptions.h
@ -67,9 +67,6 @@ struct JitOptions
    uint32_t osrPcMismatchesBeforeRecompile;
    uint32_t smallFunctionMaxBytecodeLength_;

-    // The options below affect the rest of the VM, and not just the JIT.
-    bool disableUnboxedObjects;
-
    JitOptions();
    bool isSmallFunction(JSScript* script) const;
    void setEagerCompilation();
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@ -1137,6 +1137,7 @@ class JS_PUBLIC_API(RuntimeOptions) {
        ion_(true),
        asmJS_(true),
        nativeRegExp_(true),
+        unboxedObjects_(false), // Not enabled by default yet
        unboxedArrays_(false), // Ditto
        werror_(false),
        strictMode_(false),
@ -1181,6 +1182,12 @@ class JS_PUBLIC_API(RuntimeOptions) {
        return *this;
    }

+    bool unboxedObjects() const { return unboxedObjects_; }
+    RuntimeOptions& setUnboxedObjects(bool flag) {
+        unboxedObjects_ = flag;
+        return *this;
+    }
+
    bool unboxedArrays() const { return unboxedArrays_; }
    RuntimeOptions& setUnboxedArrays(bool flag) {
        unboxedArrays_ = flag;
@ -1232,6 +1239,7 @@ class JS_PUBLIC_API(RuntimeOptions) {
    bool ion_ : 1;
    bool asmJS_ : 1;
    bool nativeRegExp_ : 1;
+    bool unboxedObjects_ : 1;
    bool unboxedArrays_ : 1;
    bool werror_ : 1;
    bool strictMode_ : 1;
--- a/js/src/shell/js.cpp
+++ b/js/src/shell/js.cpp
@ -132,6 +132,7 @@ static bool enableBaseline = false;
 static bool enableIon = false;
 static bool enableAsmJS = false;
 static bool enableNativeRegExp = false;
+static bool enableUnboxedObjects = false;
 static bool enableUnboxedArrays = false;
 #ifdef JS_GC_ZEAL
 static char gZealStr[128];
@ -5777,17 +5778,16 @@ SetRuntimeOptions(JSRuntime* rt, const OptionParser& op)
    enableIon = !op.getBoolOption("no-ion");
    enableAsmJS = !op.getBoolOption("no-asmjs");
    enableNativeRegExp = !op.getBoolOption("no-native-regexp");
+    enableUnboxedObjects = op.getBoolOption("unboxed-objects");
    enableUnboxedArrays = op.getBoolOption("unboxed-arrays");

    JS::RuntimeOptionsRef(rt).setBaseline(enableBaseline)
                             .setIon(enableIon)
                             .setAsmJS(enableAsmJS)
                             .setNativeRegExp(enableNativeRegExp)
+                             .setUnboxedObjects(enableUnboxedObjects)
                             .setUnboxedArrays(enableUnboxedArrays);

-    if (op.getBoolOption("no-unboxed-objects"))
-        jit::js_JitOptions.disableUnboxedObjects = true;
-
    if (const char* str = op.getStringOption("ion-scalar-replacement")) {
        if (strcmp(str, "on") == 0)
            jit::js_JitOptions.disableScalarReplacement = false;
@ -5991,6 +5991,7 @@ SetWorkerRuntimeOptions(JSRuntime* rt)
                             .setIon(enableIon)
                             .setAsmJS(enableAsmJS)
                             .setNativeRegExp(enableNativeRegExp)
+                             .setUnboxedObjects(enableUnboxedObjects)
                             .setUnboxedArrays(enableUnboxedArrays);
    rt->setOffthreadIonCompilationEnabled(offthreadCompilation);
    rt->profilingScripts = enableDisassemblyDumps;
@ -6133,7 +6134,7 @@ main(int argc, char** argv, char** envp)
        || !op.addBoolOption('\0', "no-ion", "Disable IonMonkey")
        || !op.addBoolOption('\0', "no-asmjs", "Disable asm.js compilation")
        || !op.addBoolOption('\0', "no-native-regexp", "Disable native regexp compilation")
-        || !op.addBoolOption('\0', "no-unboxed-objects", "Disable creating unboxed plain objects")
+        || !op.addBoolOption('\0', "unboxed-objects", "Allow creating unboxed plain objects")
        || !op.addBoolOption('\0', "unboxed-arrays", "Allow creating unboxed arrays")
        || !op.addStringOption('\0', "ion-scalar-replacement", "on/off",
                               "Scalar Replacement (default: on, off to disable)")
--- a/js/src/vm/NativeObject.cpp
+++ b/js/src/vm/NativeObject.cpp
@ -357,8 +357,6 @@ NativeObject::setLastPropertyMakeNative(ExclusiveContext* cx, Shape* shape)
    size_t oldSpan = shape->numFixedSlots();
    size_t newSpan = shape->slotSpan();

-    initializeSlotRange(0, oldSpan);
-
    // A failure at this point will leave the object as a mutant, and we
    // can't recover.
    if (oldSpan != newSpan && !updateSlotsForSpan(cx, oldSpan, newSpan))
--- a/js/src/vm/ReceiverGuard.cpp
+++ b/js/src/vm/ReceiverGuard.cpp
@ -59,6 +59,6 @@ HeapReceiverGuard::trace(JSTracer* trc)
 {
    if (shape_)
        TraceEdge(trc, &shape_, "receiver_guard_shape");
-    if (group_)
+    else
        TraceEdge(trc, &group_, "receiver_guard_group");
 }
--- a/js/src/vm/TypeInference-inl.h
+++ b/js/src/vm/TypeInference-inl.h
@ -445,7 +445,7 @@ MarkObjectGroupFlags(ExclusiveContext* cx, JSObject* obj, ObjectGroupFlags flags
 }

 inline void
-MarkObjectGroupUnknownProperties(ExclusiveContext* cx, ObjectGroup* obj)
+MarkObjectGroupUnknownProperties(JSContext* cx, ObjectGroup* obj)
 {
    if (!obj->unknownProperties())
        obj->markUnknown(cx);
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@ -2864,11 +2864,6 @@ ObjectGroup::markUnknown(ExclusiveContext* cx)
            prop->types.setNonDataProperty(cx);
        }
    }
-
-    if (maybeUnboxedLayout() && maybeUnboxedLayout()->nativeGroup())
-        MarkObjectGroupUnknownProperties(cx, maybeUnboxedLayout()->nativeGroup());
-    if (ObjectGroup* unboxedGroup = maybeOriginalUnboxedGroup())
-        MarkObjectGroupUnknownProperties(cx, unboxedGroup);
 }

 TypeNewScript*
--- a/js/src/vm/UnboxedObject.cpp
+++ b/js/src/vm/UnboxedObject.cpp
@ -1885,26 +1885,26 @@ bool
 js::TryConvertToUnboxedLayout(ExclusiveContext* cx, Shape* templateShape,
                              ObjectGroup* group, PreliminaryObjectArray* objects)
 {
-    bool isArray = !templateShape;
-
-    // Unboxed arrays are nightly only for now. The getenv() call will be
+    // Unboxed objects are nightly only for now. The getenv() call will be
    // removed when they are on by default. See bug 1153266.
-    if (isArray) {
 #ifdef NIGHTLY_BUILD
-        if (!getenv("JS_OPTION_USE_UNBOXED_ARRAYS")) {
-            if (!group->runtimeFromAnyThread()->options().unboxedArrays())
+    if (templateShape) {
+        if (!getenv("JS_OPTION_USE_UNBOXED_OBJECTS")) {
+            if (!group->runtimeFromAnyThread()->options().unboxedObjects())
                return true;
        }
-#else
-        return true;
-#endif
    } else {
-        if (jit::js_JitOptions.disableUnboxedObjects)
+        if (!group->runtimeFromAnyThread()->options().unboxedArrays())
            return true;
    }
+#else
+    return true;
+#endif

    MOZ_ASSERT_IF(templateShape, !templateShape->getObjectFlags());

+    bool isArray = !templateShape;
+
    if (group->runtimeFromAnyThread()->isSelfHostingGlobal(cx->global()))
        return true;