[INFER] Sweep type objects in the TypeResults attached to JSScripts, bug 643284.
authorBrian Hackett <bhackett1024@gmail.com>
Sun, 20 Mar 2011 08:44:31 -0700
changeset 74820 c0ed46c39d15eec2af364643529ea1bddb2c125c
parent 74819 d7fa1607c33e15882452e09a231909bd497f5f8c
child 74821 38bc7af66c0bfbaf4d5dcc3791a66d8d809627c6
push id2
push userbsmedberg@mozilla.com
push dateFri, 19 Aug 2011 14:38:13 +0000
bugs643284
milestone2.0b13pre
[INFER] Sweep type objects in the TypeResults attached to JSScripts, bug 643284.
js/src/jsinfer.cpp
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -4211,23 +4211,20 @@ CondenseSweepTypeSet(JSContext *cx, Type
                 /*
                  * If the object has unknown properties, instead of removing it
                  * replace it with the compartment's empty type object. This is
                  * needed to handle mutable __proto__ --- the type object in
                  * the set may no longer be used but there could be a JSObject
                  * which originally had the type and was changed to a different
                  * type object with unknown properties.
                  */
-                if (object->unknownProperties) {
+                if (object->unknownProperties)
                     types->objectSet[i] = &compartment->typeEmpty;
-                    if (!types->objectSet[i])
-                        compartment->setPendingNukeTypes(cx);
-                } else {
+                else
                     types->objectSet[i] = NULL;
-                }
                 removed = true;
             }
         }
         if (removed) {
             /* Reconstruct the type set to re-resolve hash collisions. */
             TypeObject **oldArray = types->objectSet;
             types->objectSet = NULL;
             types->objectCount = 0;
@@ -4242,18 +4239,16 @@ CondenseSweepTypeSet(JSContext *cx, Type
             }
             ::js_free(oldArray);
         }
     } else if (types->objectCount == 1) {
         TypeObject *object = (TypeObject*) types->objectSet;
         if (!object->marked) {
             if (object->unknownProperties) {
                 types->objectSet = (TypeObject**) &compartment->typeEmpty;
-                if (!types->objectSet)
-                    compartment->setPendingNukeTypes(cx);
             } else {
                 types->objectSet = NULL;
                 types->objectCount = 0;
             }
         }
     }
 
     TypeConstraint *constraint = types->constraintList;
@@ -4519,16 +4514,34 @@ JSScript::condenseTypes(JSContext *cx)
                 varTypes[i].destroy(cx);
             cx->free(varTypes);
             varTypes = NULL;
         } else {
             for (unsigned i = 0; i < num; i++)
                 js::types::CondenseSweepTypeSet(cx, &compartment->types, pcondensed, &varTypes[i]);
         }
     }
+
+    js::types::TypeResult **presult = &typeResults;
+    while (*presult) {
+        js::types::TypeResult *result = *presult;
+        if (js::types::TypeIsObject(result->type)) {
+            js::types::TypeObject *object = (js::types::TypeObject *) result->type;
+            if (!object->marked) {
+                if (!object->unknownProperties) {
+                    *presult = result->next;
+                    cx->free(result);
+                    continue;
+                } else {
+                    result->type = (js::types::jstype) &compartment->types.typeEmpty;
+                }
+            }
+        }
+        presult = &result->next;
+    }
 }
 
 void
 JSScript::sweepTypes(JSContext *cx)
 {
     SweepTypeObjectList(cx, typeObjects);
 
     if (types && !compartment->types.inferenceDepth) {