blob: 96b83c118c8c0fba218a92603a19d579138da2da (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
|
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/2839062f84fb
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1455119320 -3600
# Node ID 2839062f84fb6cba2781ea8d59150f13d4813ddc
# Parent 185b233ea03f3811404e3979b65ec86b29d13555
Bug 1242279 - r=bhackett1024 a=sylvestre
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3961,16 +3961,22 @@ JSScript::maybeSweepTypes(AutoClearTypeI
unsigned num = TypeScript::NumTypeSets(this);
StackTypeSet* typeArray = types_->typeArray();
// Remove constraints and references to dead objects from stack type sets.
for (unsigned i = 0; i < num; i++)
typeArray[i].sweep(zone(), *oom);
+ if (oom->hadOOM()) {
+ // It's possible we OOM'd while copying freeze constraints, so they
+ // need to be regenerated.
+ hasFreezeConstraints_ = false;
+ }
+
// Update the recompile indexes in any IonScripts still on the script.
if (hasIonScript())
ionScript()->recompileInfoRef().shouldSweep(types);
}
void
TypeScript::destroy()
{
diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@@ -566,16 +566,19 @@ class AutoClearTypeInferenceStateOnOOM
: zone(zone), oom(false)
{}
~AutoClearTypeInferenceStateOnOOM();
void setOOM() {
oom = true;
}
+ bool hadOOM() const {
+ return oom;
+ }
};
/* Superclass common to stack and heap type sets. */
class ConstraintTypeSet : public TypeSet
{
public:
/* Chain of constraints which propagate changes out from this type set. */
TypeConstraint* constraintList;
|