summaryrefslogtreecommitdiffstats
path: root/js/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--js/src/jit/CacheIR.cpp11
-rw-r--r--js/src/jit/IonAnalysis.cpp4
-rw-r--r--js/src/jit/JitFrames.cpp20
-rw-r--r--js/src/vm/BigIntType.h1
-rw-r--r--js/src/vm/StructuredClone.cpp2
5 files changed, 22 insertions, 16 deletions
diff --git a/js/src/jit/CacheIR.cpp b/js/src/jit/CacheIR.cpp
index 68163e7d6c..2a7c72abe4 100644
--- a/js/src/jit/CacheIR.cpp
+++ b/js/src/jit/CacheIR.cpp
@@ -498,9 +498,14 @@ enum class NativeGetPropKind {
static NativeGetPropKind IsCacheableGetPropCall(NativeObject* obj,
NativeObject* holder,
- PropertyInfo prop) {
+ PropertyInfo prop,
+ jsbytecode* pc = nullptr) {
MOZ_ASSERT(IsCacheableProtoChain(obj, holder));
+ if (pc && JSOp(*pc) == JSOp::GetBoundName) {
+ return NativeGetPropKind::None;
+ }
+
if (!prop.isAccessorProperty()) {
return NativeGetPropKind::None;
}
@@ -593,7 +598,7 @@ static NativeGetPropKind CanAttachNativeGetProp(JSContext* cx, JSObject* obj,
return NativeGetPropKind::Slot;
}
- return IsCacheableGetPropCall(nobj, *holder, propInfo->ref());
+ return IsCacheableGetPropCall(nobj, *holder, propInfo->ref(), pc);
}
if (!prop.isFound()) {
@@ -3130,7 +3135,7 @@ AttachDecision GetNameIRGenerator::tryAttachGlobalNameGetter(ObjOperandId objId,
GlobalObject* global = &globalLexical->global();
- NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop);
+ NativeGetPropKind kind = IsCacheableGetPropCall(global, holder, *prop, pc_);
if (kind != NativeGetPropKind::NativeGetter &&
kind != NativeGetPropKind::ScriptedGetter) {
return AttachDecision::NoAction;
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index d15c0d5df0..77b166af04 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -747,13 +747,13 @@ static bool IsDiamondPattern(MBasicBlock* initialBlock) {
MTest* initialTest = ins->toTest();
MBasicBlock* trueBranch = initialTest->ifTrue();
- if (trueBranch->numPredecessors() != 1 || trueBranch->numSuccessors() != 1) {
+ if (trueBranch->numPredecessors() != 1 || !trueBranch->lastIns()->isGoto()) {
return false;
}
MBasicBlock* falseBranch = initialTest->ifFalse();
if (falseBranch->numPredecessors() != 1 ||
- falseBranch->numSuccessors() != 1) {
+ !falseBranch->lastIns()->isGoto()) {
return false;
}
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
index fd65289e61..5e723041cd 100644
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -897,32 +897,32 @@ static void TraceThisAndArguments(JSTracer* trc, const JSJitFrameIter& frame,
return;
}
- size_t nargs = layout->numActualArgs();
- size_t nformals = 0;
-
JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+
+ size_t numFormals = fun->nargs();
+ size_t numArgs = std::max(layout->numActualArgs(), numFormals);
+ size_t firstArg = 0;
+
if (frame.type() != FrameType::JSJitToWasm &&
!frame.isExitFrameLayout<CalledFromJitExitFrameLayout>() &&
!fun->nonLazyScript()->mayReadFrameArgsDirectly()) {
- nformals = fun->nargs();
+ firstArg = numFormals;
}
- size_t newTargetOffset = std::max(nargs, fun->nargs());
-
Value* argv = layout->thisAndActualArgs();
// Trace |this|.
TraceRoot(trc, argv, "ion-thisv");
- // Trace actual arguments beyond the formals. Note + 1 for thisv.
- for (size_t i = nformals + 1; i < nargs + 1; i++) {
- TraceRoot(trc, &argv[i], "ion-argv");
+ // Trace arguments. Note + 1 for thisv.
+ for (size_t i = firstArg; i < numArgs; i++) {
+ TraceRoot(trc, &argv[i + 1], "ion-argv");
}
// Always trace the new.target from the frame. It's not in the snapshots.
// +1 to pass |this|
if (CalleeTokenIsConstructing(layout->calleeToken())) {
- TraceRoot(trc, &argv[1 + newTargetOffset], "ion-newTarget");
+ TraceRoot(trc, &argv[1 + numArgs], "ion-newTarget");
}
}
diff --git a/js/src/vm/BigIntType.h b/js/src/vm/BigIntType.h
index c8e264b20b..fe70d0cf69 100644
--- a/js/src/vm/BigIntType.h
+++ b/js/src/vm/BigIntType.h
@@ -398,6 +398,7 @@ class BigInt final : public js::gc::CellWithLengthAndFlags {
static JSLinearString* toStringGeneric(JSContext* cx, Handle<BigInt*>,
unsigned radix);
+ friend struct ::JSStructuredCloneReader; // So it can call the following:
static BigInt* destructivelyTrimHighZeroDigits(JSContext* cx, BigInt* x);
bool absFitsInUint64() const { return digitLength() <= 64 / DigitBits; }
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
index 7eafc89113..1ba63c7fee 100644
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -2489,7 +2489,7 @@ BigInt* JSStructuredCloneReader::readBigInt(uint32_t data) {
if (!in.readArray(result->digits().data(), length)) {
return nullptr;
}
- return result;
+ return JS::BigInt::destructivelyTrimHighZeroDigits(context(), result);
}
static uint32_t TagToV1ArrayType(uint32_t tag) {