wine/gecko
0
0
Fork 0
mirror of https://gitlab.winehq.org/wine/wine-gecko.git synced 2024-09-13 09:24:08 -07:00
Code Issues Packages Projects Releases Wiki Activity

Don't eagerly fetch values from prototypes when analyzing reads on shadowed properties, bug 786915. r=jandem

Browse Source
This commit is contained in:
Brian Hackett 2012-08-30 10:11:44 -06:00
parent 1ccc09a87b
commit 8aa83ea20c
1 changed files with 22 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
js/src/jsinfer.cpp
View File

@ -1074,6 +1074,17 @@ PropertyAccess(JSContext *cx, JSScript *script, jsbytecode *pc, TypeObject *obje
return; return;
} }
/*
* Get the possible types of the property. For assignments, we do not
* automatically update the 'own' bit on accessed properties, except for
* indexed elements. This exception allows for JIT fast paths to avoid
* testing the array's type when assigning to dense array elements.
*/
bool markOwn = access == PROPERTY_WRITE && JSID_IS_VOID(id);
HeapTypeSet *types = object->getProperty(cx, id, markOwn);
if (!types)
return;
/* /*
* Try to resolve reads from the VM state ahead of time, e.g. for reads * Try to resolve reads from the VM state ahead of time, e.g. for reads
* of defined global variables or from the prototype of the object. This * of defined global variables or from the prototype of the object. This
@ -1083,23 +1094,23 @@ PropertyAccess(JSContext *cx, JSScript *script, jsbytecode *pc, TypeObject *obje
* object or prototype will not change between analysis and execution. * object or prototype will not change between analysis and execution.
*/ */
if (access != PROPERTY_WRITE) { if (access != PROPERTY_WRITE) {
if (JSObject *singleton = object->singleton ? object->singleton : object->proto) { JSObject *singleton = object->singleton;
/*
* Don't eagerly resolve reads from the prototype if the instance type
* is known to shadow the prototype's property.
*/
if (!singleton && !types->ownProperty(false))
singleton = object->proto;
if (singleton) {
Type type = GetSingletonPropertyType(cx, singleton, id); Type type = GetSingletonPropertyType(cx, singleton, id);
if (!type.isUnknown()) if (!type.isUnknown())
target->addType(cx, type); target->addType(cx, type);
} }
} }
/* /* Capture the effects of a standard property access. */
* Capture the effects of a standard property access. For assignments, we do not
* automatically update the 'own' bit on accessed properties, except for indexed
* elements in dense arrays. The latter exception allows for JIT fast paths to avoid
* testing the array's type when assigning to dense array elements.
*/
bool markOwn = access == PROPERTY_WRITE && JSID_IS_VOID(id);
HeapTypeSet *types = object->getProperty(cx, id, markOwn);
if (!types)
return;
if (access == PROPERTY_WRITE) { if (access == PROPERTY_WRITE) {
target->addSubset(cx, types); target->addSubset(cx, types);
} else { } else {