summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--js/src/jsfun.h13
-rw-r--r--js/src/vm/ObjectGroup.cpp7
-rw-r--r--js/src/vm/TypeInference.cpp13
3 files changed, 26 insertions, 7 deletions
diff --git a/js/src/jsfun.h b/js/src/jsfun.h
index 7da831aa2b..1c7da57ecd 100644
--- a/js/src/jsfun.h
+++ b/js/src/jsfun.h
@@ -460,6 +460,19 @@ class JSFunction : public js::NativeObject
return nonLazyScript();
}
+ // If this is a scripted function, returns its canonical function (the
+ // original function allocated by the frontend). Note that lazy self-hosted
+ // builtins don't have a lazy script so in that case we also return nullptr.
+ JSFunction* maybeCanonicalFunction() const {
+ if (hasScript()) {
+ return nonLazyScript()->functionNonDelazifying();
+ }
+ if (isInterpretedLazy() && !isSelfHostedBuiltin()) {
+ return lazyScript()->functionNonDelazifying();
+ }
+ return nullptr;
+ }
+
// The state of a JSFunction whose script errored out during bytecode
// compilation. Such JSFunctions are only reachable via GC iteration and
// not from script.
diff --git a/js/src/vm/ObjectGroup.cpp b/js/src/vm/ObjectGroup.cpp
index d6a8fcaa46..1fbf8976b6 100644
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -496,12 +496,7 @@ ObjectGroup::defaultNewGroup(ExclusiveContext* cx, const Class* clasp,
// Canonicalize new functions to use the original one associated with its script.
JSFunction* fun = &associated->as<JSFunction>();
- if (fun->hasScript())
- associated = fun->nonLazyScript()->functionNonDelazifying();
- else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
- associated = fun->lazyScript()->functionNonDelazifying();
- else
- associated = nullptr;
+ associated = associated->as<JSFunction>().maybeCanonicalFunction();
// If we have previously cleared the 'new' script information for this
// function, don't try to construct another one.
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
index c86345d9c9..4775a2dea2 100644
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3603,6 +3603,10 @@ TypeNewScript::make(JSContext* cx, ObjectGroup* group, JSFunction* fun)
MOZ_ASSERT(!group->newScript());
MOZ_ASSERT(!group->maybeUnboxedLayout());
+ // rollbackPartiallyInitializedObjects expects function_ to be
+ // canonicalized.
+ MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
+
if (group->unknownProperties())
return true;
@@ -3958,8 +3962,15 @@ TypeNewScript::rollbackPartiallyInitializedObjects(JSContext* cx, ObjectGroup* g
oomUnsafe.crash("rollbackPartiallyInitializedObjects");
}
- if (!iter.isConstructing() || !iter.matchCallee(cx, function))
+ if (!iter.isConstructing()) {
+ continue;
+ }
+
+ MOZ_ASSERT(iter.calleeTemplate()->maybeCanonicalFunction());
+
+ if (iter.calleeTemplate()->maybeCanonicalFunction() != function) {
continue;
+ }
// Derived class constructors initialize their this-binding later and
// we shouldn't run the definite properties analysis on them.