Bug 1129473 - Ensure off-thread parsing sets the is-delegate flag on builtin protos. r=bhackett

--HG-- extra : rebase_source : 2eab0362e1207c1bc258346d427498f14ddf1b04
2024-09-13 09:24:08 -07:00 · 2015-02-06 18:17:00 +01:00 · 2015-02-06 18:17:00 +01:00 · a32154fadf
commit a32154fadf
parent 734705c818
4 changed files with 23 additions and 11 deletions
--- a/js/src/jsobj.h
+++ b/js/src/jsobj.h
@ -353,9 +353,7 @@ class JSObject : public js::gc::Cell

    JSObject *getProto() const {
        MOZ_ASSERT(!uninlinedIsProxy());
-        JSObject *proto = getTaggedProto().toObjectOrNull();
-        MOZ_ASSERT_IF(proto && proto->isNative(), proto->isDelegate());
-        return proto;
+        return getTaggedProto().toObjectOrNull();
    }

    // Normal objects and a subset of proxies have uninteresting [[Prototype]].
--- a/js/src/vm/HelperThreads.cpp
+++ b/js/src/vm/HelperThreads.cpp
@ -845,6 +845,15 @@ LeaveParseTaskZone(JSRuntime *rt, ParseTask *task)
    rt->clearUsedByExclusiveThread(task->cx->zone());
 }

+static bool
+EnsureConstructor(JSContext *cx, Handle<GlobalObject*> global, JSProtoKey key)
+{
+    if (!GlobalObject::ensureConstructor(cx, global, key))
+        return false;
+
+    return global->getPrototype(key).toObject().setDelegate(cx);
+}
+
 JSScript *
 GlobalHelperThreadState::finishParseTask(JSContext *maybecx, JSRuntime *rt, void *token)
 {
@ -876,11 +885,11 @@ GlobalHelperThreadState::finishParseTask(JSContext *maybecx, JSRuntime *rt, void
    // Make sure we have all the constructors we need for the prototype
    // remapping below, since we can't GC while that's happening.
    Rooted<GlobalObject*> global(cx, &cx->global()->as<GlobalObject>());
-    if (!GlobalObject::ensureConstructor(cx, global, JSProto_Object) ||
-        !GlobalObject::ensureConstructor(cx, global, JSProto_Array) ||
-        !GlobalObject::ensureConstructor(cx, global, JSProto_Function) ||
-        !GlobalObject::ensureConstructor(cx, global, JSProto_RegExp) ||
-        !GlobalObject::ensureConstructor(cx, global, JSProto_Iterator))
+    if (!EnsureConstructor(cx, global, JSProto_Object) ||
+        !EnsureConstructor(cx, global, JSProto_Array) ||
+        !EnsureConstructor(cx, global, JSProto_Function) ||
+        !EnsureConstructor(cx, global, JSProto_RegExp) ||
+        !EnsureConstructor(cx, global, JSProto_Iterator))
    {
        LeaveParseTaskZone(rt, parseTask);
        return nullptr;
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@ -48,6 +48,13 @@ ObjectGroup::finalize(FreeOp *fop)
    fop->delete_(maybeUnboxedLayoutDontCheckGeneration());
 }

+void
+ObjectGroup::setProtoUnchecked(TaggedProto proto)
+{
+    proto_ = proto.raw();
+    MOZ_ASSERT_IF(proto_ && proto_->isNative(), proto_->isDelegate());
+}
+
 void
 ObjectGroup::setProto(JSContext *cx, TaggedProto proto)
 {
--- a/js/src/vm/ObjectGroup.h
+++ b/js/src/vm/ObjectGroup.h
@ -256,9 +256,7 @@ class ObjectGroup : public gc::TenuredCell
    HeapPtrObject &singletonRaw() { return singleton_; }

    void setProto(JSContext *cx, TaggedProto proto);
-    void setProtoUnchecked(TaggedProto proto) {
-        proto_ = proto.raw();
-    }
+    void setProtoUnchecked(TaggedProto proto);

    void initSingleton(JSObject *singleton) {
        singleton_ = singleton;