Bug 1208067 - Ensure that self-hosted functions with innner functions aren't relazified. r=jandem

2024-09-13 09:24:08 -07:00 · 2015-09-24 23:19:56 +02:00 · 2015-09-24 23:19:56 +02:00 · fe7188831d
commit fe7188831d
parent fe4cccced2
5 changed files with 33 additions and 3 deletions
--- a/js/src/builtin/Utilities.js
+++ b/js/src/builtin/Utilities.js
@ -49,7 +49,6 @@ var std_Map_iterator_next = MapIteratorNext;

 /********** List specification type **********/

-
 /* Spec: ECMAScript Language Specification, 5.1 edition, 8.8 */
 function List() {
    this.length = 0;
@ -193,3 +192,10 @@ function SpeciesConstructor(obj, defaultConstructor) {
    // Step 10.
    ThrowTypeError(JSMSG_NOT_CONSTRUCTOR, "@@species property of object's constructor");
 }
+
+/*************************************** Testing functions ***************************************/
+function outer() {
+    return function inner() {
+        return "foo";
+    }
+}
--- a/js/src/frontend/BytecodeEmitter.cpp
+++ b/js/src/frontend/BytecodeEmitter.cpp
@ -5780,6 +5780,7 @@ BytecodeEmitter::emitFunction(ParseNode* pn, bool needsProto)
        if (!JSFunction::setTypeForScriptedFunction(cx, fun, singleton))
            return false;

+        SharedContext* outersc = sc;
        if (fun->isInterpretedLazy()) {
            if (!fun->lazyScript()->sourceObject()) {
                JSObject* scope = innermostStaticScope();
@ -5789,7 +5790,6 @@ BytecodeEmitter::emitFunction(ParseNode* pn, bool needsProto)
            if (emittingRunOnceLambda)
                fun->lazyScript()->setTreatAsRunOnce();
        } else {
-            SharedContext* outersc = sc;

            if (outersc->isFunctionBox() && outersc->asFunctionBox()->mightAliasLocals())
                funbox->setMightAliasLocals();      // inherit mightAliasLocals from parent
@ -5827,6 +5827,8 @@ BytecodeEmitter::emitFunction(ParseNode* pn, bool needsProto)
            if (funbox->usesArguments && funbox->usesApply && funbox->usesThis)
                script->setUsesArgumentsApplyAndThis();
        }
+        if (outersc->isFunctionBox())
+            outersc->asFunctionBox()->function()->nonLazyScript()->setHasInnerFunctions(true);
    } else {
        MOZ_ASSERT(IsAsmJSModuleNative(fun->native()));
    }
--- a/js/src/jit-test/tests/basic/relazify-selfhosted.js
+++ b/js/src/jit-test/tests/basic/relazify-selfhosted.js
@ -0,0 +1,4 @@
+var g = newGlobal();
+g.eval("this.inner = getSelfHostedValue('outer')()");
+gc();
+g.inner();
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@ -600,6 +600,7 @@ js::XDRScript(XDRState<mode>* xdr, HandleObject enclosingScopeArg, HandleScript
        TreatAsRunOnce,
        HasLazyScript,
        HasNonSyntacticScope,
+        HasInnerFunctions,
    };

    uint32_t length, lineno, column, nslots;
@ -735,6 +736,8 @@ js::XDRScript(XDRState<mode>* xdr, HandleObject enclosingScopeArg, HandleScript
            scriptBits |= (1 << HasLazyScript);
        if (script->hasNonSyntacticScope())
            scriptBits |= (1 << HasNonSyntacticScope);
+        if (script->hasInnerFunctions())
+            scriptBits |= (1 << HasInnerFunctions);
    }

    if (!xdr->codeUint32(&prologueLength))
@ -869,6 +872,8 @@ js::XDRScript(XDRState<mode>* xdr, HandleObject enclosingScopeArg, HandleScript
            script->treatAsRunOnce_ = true;
        if (scriptBits & (1 << HasNonSyntacticScope))
            script->hasNonSyntacticScope_ = true;
+        if (scriptBits & (1 << HasInnerFunctions))
+            script->hasInnerFunctions_ = true;

        if (scriptBits & (1 << IsLegacyGenerator)) {
            MOZ_ASSERT(!(scriptBits & (1 << IsStarGenerator)));
@ -3372,6 +3377,7 @@ js::detail::CopyScript(JSContext* cx, HandleObject scriptStaticScope, HandleScri
    dst->funHasAnyAliasedFormal_ = src->funHasAnyAliasedFormal();
    dst->hasSingletons_ = src->hasSingletons();
    dst->treatAsRunOnce_ = src->treatAsRunOnce();
+    dst->hasInnerFunctions_ = src->hasInnerFunctions();
    dst->isGeneratorExp_ = src->isGeneratorExp();
    dst->setGeneratorKind(src->generatorKind());

--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@ -1154,6 +1154,10 @@ class JSScript : public js::gc::TenuredCell
    // keep it from relazifying.
    bool doNotRelazify_:1;

+    // Script contains inner functions. Used to check if we can relazify the
+    // script.
+    bool hasInnerFunctions_:1;
+
    bool needsHomeObject_:1;

    bool isDerivedClassConstructor_:1;
@ -1483,6 +1487,14 @@ class JSScript : public js::gc::TenuredCell
        doNotRelazify_ = b;
    }

+    void setHasInnerFunctions(bool b) {
+        hasInnerFunctions_ = b;
+    }
+
+    bool hasInnerFunctions() const {
+        return hasInnerFunctions_;
+    }
+
    bool hasAnyIonScript() const {
        return hasIonScript();
    }
@ -1545,7 +1557,7 @@ class JSScript : public js::gc::TenuredCell
    }

    bool isRelazifiable() const {
-        return (selfHosted() || lazyScript) && !types_ &&
+        return (selfHosted() || lazyScript) && !hasInnerFunctions_ && !types_ &&
               !isGenerator() && !hasBaselineScript() && !hasAnyIonScript() &&
               !hasScriptCounts() && !doNotRelazify_;
    }