Bug 1512410 part 2 - Don't create a TypeNewScript for cross-realm constructors, add more asserts. r=luke
authorJan de Mooij <jdemooij@mozilla.com>
Sat, 08 Dec 2018 18:10:29 +0000
changeset 508879 09493e80dbe7c1486eb3c93960cc81f73c8c5356
parent 508878 c24a1c1237babf78b65f6331579ee8d9b5607432
child 508880 3d100f5e604d23d64866061d6e7d5db244a4a3c6
child 508911 e9ea0dbc015be66d996deeb7c6e71088488dcea1
push id1905
push userffxbld-merge
push dateMon, 21 Jan 2019 12:33:13 +0000
treeherdermozilla-release@c2fca1944d8c [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersluke
bugs1512410
milestone65.0a1
first release with
nightly linux32
09493e80dbe7 / 65.0a1 / 20181208213539 / files
nightly linux64
09493e80dbe7 / 65.0a1 / 20181208213539 / files
nightly mac
09493e80dbe7 / 65.0a1 / 20181208213539 / files
nightly win32
09493e80dbe7 / 65.0a1 / 20181208213539 / files
nightly win64
09493e80dbe7 / 65.0a1 / 20181208213539 / files
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
releases
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1512410 part 2 - Don't create a TypeNewScript for cross-realm constructors, add more asserts. r=luke Depends on D13903 Differential Revision: https://phabricator.services.mozilla.com/D13904
js/src/vm/JSFunction.cpp
js/src/vm/JSFunction.h
js/src/vm/ObjectGroup.cpp
js/src/vm/TypeInference.cpp
--- a/js/src/vm/JSFunction.cpp
+++ b/js/src/vm/JSFunction.cpp
@@ -2343,16 +2343,17 @@ static inline JSFunction* NewFunctionClo
   return clone;
 }
 
 JSFunction* js::CloneFunctionReuseScript(
     JSContext* cx, HandleFunction fun, HandleObject enclosingEnv,
     gc::AllocKind allocKind /* = FUNCTION */,
     NewObjectKind newKind /* = GenericObject */,
     HandleObject proto /* = nullptr */) {
+  MOZ_ASSERT(cx->realm() == fun->realm());
   MOZ_ASSERT(NewFunctionEnvironmentIsWellFormed(cx, enclosingEnv));
   MOZ_ASSERT(fun->isInterpreted());
   MOZ_ASSERT(!fun->isBoundFunction());
   MOZ_ASSERT(CanReuseScriptForClone(cx->realm(), fun, enclosingEnv));
 
   RootedFunction clone(cx,
                        NewFunctionClone(cx, fun, newKind, allocKind, proto));
   if (!clone) {
--- a/js/src/vm/JSFunction.h
+++ b/js/src/vm/JSFunction.h
@@ -643,19 +643,25 @@ class JSFunction : public js::NativeObje
       return lazyScript()->isAsync();
     }
     if (hasScript()) {
       return nonLazyScript()->isAsync();
     }
     return false;
   }
 
-  void setScript(JSScript* script_) { mutableScript() = script_; }
+  void setScript(JSScript* script) {
+    MOZ_ASSERT(realm() == script->realm());
+    mutableScript() = script;
+  }
 
-  void initScript(JSScript* script_) { mutableScript().init(script_); }
+  void initScript(JSScript* script) {
+    MOZ_ASSERT_IF(script, realm() == script->realm());
+    mutableScript().init(script);
+  }
 
   void setUnlazifiedScript(JSScript* script) {
     MOZ_ASSERT(isInterpretedLazy());
     if (lazyScriptOrNull()) {
       // Trigger a pre barrier on the lazy script being overwritten.
       js::LazyScript::writeBarrierPre(lazyScriptOrNull());
       if (!lazyScript()->maybeScript()) {
         lazyScript()->initScript(script);
--- a/js/src/vm/ObjectGroup.cpp
+++ b/js/src/vm/ObjectGroup.cpp
@@ -497,18 +497,20 @@ MOZ_ALWAYS_INLINE ObjectGroup* ObjectGro
   if (associated && !associated->is<TypeDescr>()) {
     MOZ_ASSERT(!clasp);
     if (associated->is<JSFunction>()) {
       // Canonicalize new functions to use the original one associated with its
       // script.
       associated = associated->as<JSFunction>().maybeCanonicalFunction();
 
       // If we have previously cleared the 'new' script information for this
-      // function, don't try to construct another one.
-      if (associated && associated->as<JSFunction>().wasNewScriptCleared()) {
+      // function, don't try to construct another one. Also, for simplicity,
+      // don't bother optimizing cross-realm constructors.
+      if (associated && (associated->as<JSFunction>().wasNewScriptCleared() ||
+                         associated->as<JSFunction>().realm() != cx->realm())) {
         associated = nullptr;
       }
 
     } else {
       associated = nullptr;
     }
 
     if (!associated) {
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3839,16 +3839,18 @@ void PreliminaryObjectArrayWithTemplate:
 // Make a TypeNewScript for |group|, and set it up to hold the preliminary
 // objects created with the group.
 /* static */ bool TypeNewScript::make(JSContext* cx, ObjectGroup* group,
                                       JSFunction* fun) {
   AutoSweepObjectGroup sweep(group);
   MOZ_ASSERT(cx->zone()->types.activeAnalysis);
   MOZ_ASSERT(!group->newScript(sweep));
   MOZ_ASSERT(!group->maybeUnboxedLayout(sweep));
+  MOZ_ASSERT(cx->realm() == group->realm());
+  MOZ_ASSERT(cx->realm() == fun->realm());
 
   // rollbackPartiallyInitializedObjects expects function_ to be
   // canonicalized.
   MOZ_ASSERT(fun->maybeCanonicalFunction() == fun);
 
   if (group->unknownProperties(sweep)) {
     return true;
   }