Back out 19 changesets (bug 1055472) for hazards and jstest failures

CLOSED TREE Backed out changeset 738e23a218c8 (bug 1055472) Backed out changeset 2c454e1ac50c (bug 1055472) Backed out changeset 40919fcffecd (bug 1055472) Backed out changeset f42360dbd545 (bug 1055472) Backed out changeset ce74f9a7b479 (bug 1055472) Backed out changeset 8b8fa139568b (bug 1055472) Backed out changeset 42d1ecbce781 (bug 1055472) Backed out changeset ccb9403a345c (bug 1055472) Backed out changeset fdd35ea9ef38 (bug 1055472) Backed out changeset 2f77faf418ce (bug 1055472) Backed out changeset 1e968e8a279a (bug 1055472) Backed out changeset d3975d948208 (bug 1055472) Backed out changeset 03d708347ebb (bug 1055472) Backed out changeset 5ec1640cdfd2 (bug 1055472) Backed out changeset 5e2b91587001 (bug 1055472) Backed out changeset fd09d5077094 (bug 1055472) Backed out changeset 2e58e0e479b7 (bug 1055472) Backed out changeset 67f0802a5c13 (bug 1055472) Backed out changeset 69d9fb855787 (bug 1055472)
NanaseRuri · Nov 14, 2015 · 27a0282 · 27a0282
1 parent feb7e51
commit 27a0282
Show file tree

Hide file tree

Showing 50 changed files with 266 additions and 806 deletions.
diff --git a/js/src/builtin/MapObject.cpp b/js/src/builtin/MapObject.cpp
@@ -221,7 +221,7 @@ MapIteratorObject::next(JSContext* cx, Handle<MapIteratorObject*> mapIterator,
 
 const Class MapObject::class_ = {
     "Map",
-    JSCLASS_HAS_PRIVATE |
+    JSCLASS_HAS_PRIVATE | 
     JSCLASS_HAS_CACHED_PROTO(JSProto_Map),
     nullptr, // addProperty
     nullptr, // delProperty
@@ -412,20 +412,21 @@ MapObject::set(JSContext* cx, HandleObject obj, HandleValue k, HandleValue v)
 }
 
 MapObject*
-MapObject::create(JSContext* cx, HandleObject proto /* = nullptr */)
+MapObject::create(JSContext* cx)
 {
-    auto map = cx->make_unique<ValueMap>(cx->runtime());
+    Rooted<MapObject*> obj(cx, NewBuiltinClassInstance<MapObject>(cx));
+    if (!obj)
+        return nullptr;
+
+    ValueMap* map = cx->new_<ValueMap>(cx->runtime());
     if (!map || !map->init()) {
+        js_delete(map);
         ReportOutOfMemory(cx);
         return nullptr;
     }
 
-    MapObject* mapObj = NewObjectWithClassProto<MapObject>(cx,  proto);
-    if (!mapObj)
-        return nullptr;
-
-    mapObj->setPrivate(map.release());
-    return mapObj;
+    obj->setPrivate(map);
+    return obj;
 }
 
 void
@@ -443,12 +444,7 @@ MapObject::construct(JSContext* cx, unsigned argc, Value* vp)
     if (!ThrowIfNotConstructing(cx, args, "Map"))
         return false;
 
-    RootedObject proto(cx);
-    RootedObject newTarget(cx, &args.newTarget().toObject());
-    if (!GetPrototypeFromConstructor(cx, newTarget, &proto))
-        return false;
-
-    Rooted<MapObject*> obj(cx, MapObject::create(cx, proto));
+    Rooted<MapObject*> obj(cx, MapObject::create(cx));
     if (!obj)
         return false;
 
@@ -1068,19 +1064,19 @@ SetObject::add(JSContext* cx, HandleObject obj, HandleValue k)
 }
 
 SetObject*
-SetObject::create(JSContext* cx, HandleObject proto /* = nullptr */)
+SetObject::create(JSContext* cx)
 {
-    auto set = cx->make_unique<ValueSet>(cx->runtime());
+    SetObject* obj = NewBuiltinClassInstance<SetObject>(cx);
+    if (!obj)
+        return nullptr;
+
+    ValueSet* set = cx->new_<ValueSet>(cx->runtime());
     if (!set || !set->init()) {
+        js_delete(set);
         ReportOutOfMemory(cx);
         return nullptr;
     }
-
-    SetObject* obj = NewObjectWithClassProto<SetObject>(cx, proto);
-    if (!obj)
-        return nullptr;
-
-    obj->setPrivate(set.release());
+    obj->setPrivate(set);
     return obj;
 }
 
@@ -1110,12 +1106,7 @@ SetObject::construct(JSContext* cx, unsigned argc, Value* vp)
     if (!ThrowIfNotConstructing(cx, args, "Set"))
         return false;
 
-    RootedObject proto(cx);
-    RootedObject newTarget(cx, &args.newTarget().toObject());
-    if (!GetPrototypeFromConstructor(cx, newTarget, &proto))
-        return false;
-
-    Rooted<SetObject*> obj(cx, SetObject::create(cx, proto));
+    Rooted<SetObject*> obj(cx, SetObject::create(cx));
     if (!obj)
         return false;
 

diff --git a/js/src/builtin/MapObject.h b/js/src/builtin/MapObject.h
@@ -92,7 +92,7 @@ class MapObject : public NativeObject {
                                             JS::AutoValueVector* entries);
     static bool entries(JSContext* cx, unsigned argc, Value* vp);
     static bool has(JSContext* cx, unsigned argc, Value* vp);
-    static MapObject* create(JSContext* cx, HandleObject proto = nullptr);
+    static MapObject* create(JSContext* cx);
 
     // Publicly exposed Map calls for JSAPI access (webidl maplike/setlike
     // interfaces, etc.)
@@ -181,7 +181,7 @@ class SetObject : public NativeObject {
 
     // Publicly exposed Set calls for JSAPI access (webidl maplike/setlike
     // interfaces, etc.)
-    static SetObject* create(JSContext *cx, HandleObject proto = nullptr);
+    static SetObject* create(JSContext *cx);
     static uint32_t size(JSContext *cx, HandleObject obj);
     static bool has(JSContext *cx, HandleObject obj, HandleValue key, bool* rval);
     static bool clear(JSContext *cx, HandleObject obj);

diff --git a/js/src/builtin/Object.cpp b/js/src/builtin/Object.cpp
@@ -33,12 +33,7 @@ js::obj_construct(JSContext* cx, unsigned argc, Value* vp)
     CallArgs args = CallArgsFromVp(argc, vp);
 
     RootedObject obj(cx, nullptr);
-    if (args.isConstructing() && (&args.newTarget().toObject() != &args.callee())) {
-        RootedObject newTarget(cx, &args.newTarget().toObject());
-        obj = CreateThis(cx, &PlainObject::class_, newTarget);
-        if (!obj)
-            return false;
-    } else if (args.length() > 0 && !args[0].isNullOrUndefined()) {
+    if (args.length() > 0 && !args[0].isNullOrUndefined()) {
         obj = ToObject(cx, args[0]);
         if (!obj)
             return false;

diff --git a/js/src/builtin/RegExp.cpp b/js/src/builtin/RegExp.cpp
@@ -185,7 +185,7 @@ RegExpInitialize(JSContext* cx, Handle<RegExpObject*> obj, HandleValue patternVa
     }
 
     /* Steps 11-15. */
-    if (!RegExpObject::initFromAtom(cx, obj, pattern, flags))
+    if (!InitializeRegExp(cx, obj, pattern, flags))
         return false;
 
     /* Step 16. */
@@ -268,7 +268,7 @@ regexp_compile_impl(JSContext* cx, const CallArgs& args)
         }
 
         // Step 5.
-        if (!RegExpObject::initFromAtom(cx, regexp, sourceAtom, flags))
+        if (!InitializeRegExp(cx, regexp, sourceAtom, flags))
             return false;
 
         args.rval().setObject(*regexp);
@@ -307,11 +307,11 @@ js::regexp_construct(JSContext* cx, unsigned argc, Value* vp)
     if (!IsRegExp(cx, args.get(0), &patternIsRegExp))
         return false;
 
+    if (args.isConstructing()) {
+        // XXX Step 3!
+    } else {
+        // XXX Step 4a
 
-    // We can delay step 3 and step 4a until later, during
-    // GetPrototypeFromCallableConstructor calls. Accessing the new.target
-    // and the callee from the stack is unobservable.
-    if (!args.isConstructing()) {
         // Step 4b.
         if (patternIsRegExp && !args.hasDefined(1)) {
             RootedObject patternObj(cx, &args[0].toObject());
@@ -341,7 +341,6 @@ js::regexp_construct(JSContext* cx, unsigned argc, Value* vp)
         // don't reuse the RegExpShared below.
         RootedObject patternObj(cx, &patternValue.toObject());
 
-        // Step 5
         RootedAtom sourceAtom(cx);
         RegExpFlag flags;
         {
@@ -354,30 +353,27 @@ js::regexp_construct(JSContext* cx, unsigned argc, Value* vp)
             if (!args.hasDefined(1)) {
                 // Step 5b.
                 flags = g->getFlags();
+            } else {
+                // Step 5c.
+                // XXX We shouldn't be converting to string yet!  This must
+                //     come *after* the .constructor access in step 8.
+                flags = RegExpFlag(0);
+                RootedString flagStr(cx, ToString<CanGC>(cx, args[1]));
+                if (!flagStr)
+                    return false;
+                if (!ParseRegExpFlags(cx, flagStr, &flags))
+                    return false;
             }
         }
 
         // Steps 8-9.
-        RootedObject proto(cx);
-        if (!GetPrototypeFromCallableConstructor(cx, args, &proto))
-            return false;
-
-        Rooted<RegExpObject*> regexp(cx, RegExpAlloc(cx, proto));
+        // XXX Note bug in step 5c, with respect to step 8.
+        Rooted<RegExpObject*> regexp(cx, RegExpAlloc(cx));
         if (!regexp)
             return false;
 
         // Step 10.
-        if (args.hasDefined(1)) {
-            // Step 5c / 21.2.3.2.2 RegExpInitialize step 5.
-            flags = RegExpFlag(0);
-            RootedString flagStr(cx, ToString<CanGC>(cx, args[1]));
-            if (!flagStr)
-                return false;
-            if (!ParseRegExpFlags(cx, flagStr, &flags))
-                return false;
-        }
-
-        if (!RegExpObject::initFromAtom(cx, regexp, sourceAtom, flags))
+        if (!InitializeRegExp(cx, regexp, sourceAtom, flags))
             return false;
 
         args.rval().setObject(*regexp);
@@ -408,11 +404,7 @@ js::regexp_construct(JSContext* cx, unsigned argc, Value* vp)
     }
 
     // Steps 8-9.
-    RootedObject proto(cx);
-    if (!GetPrototypeFromCallableConstructor(cx, args, &proto))
-        return false;
-
-    Rooted<RegExpObject*> regexp(cx, RegExpAlloc(cx, proto));
+    Rooted<RegExpObject*> regexp(cx, RegExpAlloc(cx));
     if (!regexp)
         return false;
 
@@ -709,9 +701,7 @@ js::CreateRegExpPrototype(JSContext* cx, JSProtoKey key)
     proto->NativeObject::setPrivate(nullptr);
 
     RootedAtom source(cx, cx->names().empty);
-    if (!RegExpObject::initFromAtom(cx, proto, source, RegExpFlag(0)))
-        return nullptr;
-    return proto;
+    return InitializeRegExp(cx, proto, source, RegExpFlag(0));
 }
 
 static bool

diff --git a/js/src/builtin/WeakMapObject.cpp b/js/src/builtin/WeakMapObject.cpp
@@ -316,8 +316,7 @@ WeakMap_construct(JSContext* cx, unsigned argc, Value* vp)
     if (!ThrowIfNotConstructing(cx, args, "WeakMap"))
         return false;
 
-    RootedObject newTarget(cx, &args.newTarget().toObject());
-    RootedObject obj(cx, CreateThis(cx, &WeakMapObject::class_, newTarget));
+    RootedObject obj(cx, NewBuiltinClassInstance(cx, &WeakMapObject::class_));
     if (!obj)
         return false;
 

diff --git a/js/src/builtin/WeakSetObject.cpp b/js/src/builtin/WeakSetObject.cpp
@@ -61,14 +61,14 @@ WeakSetObject::initClass(JSContext* cx, JSObject* obj)
 }
 
 WeakSetObject*
-WeakSetObject::create(JSContext* cx, HandleObject proto /* = nullptr */)
+WeakSetObject::create(JSContext* cx)
 {
-    RootedObject map(cx, NewBuiltinClassInstance<WeakMapObject>(cx));
-    if (!map)
+    Rooted<WeakSetObject*> obj(cx, NewBuiltinClassInstance<WeakSetObject>(cx));
+    if (!obj)
         return nullptr;
 
-    WeakSetObject* obj = NewObjectWithClassProto<WeakSetObject>(cx, proto);
-    if (!obj)
+    RootedObject map(cx, JS::NewWeakMapObject(cx));
+    if (!map)
         return nullptr;
 
     obj->setReservedSlot(WEAKSET_MAP_SLOT, ObjectValue(*map));
@@ -78,21 +78,16 @@ WeakSetObject::create(JSContext* cx, HandleObject proto /* = nullptr */)
 bool
 WeakSetObject::construct(JSContext* cx, unsigned argc, Value* vp)
 {
+    Rooted<WeakSetObject*> obj(cx, WeakSetObject::create(cx));
+    if (!obj)
+        return false;
+
     // Based on our "Set" implementation instead of the more general ES6 steps.
     CallArgs args = CallArgsFromVp(argc, vp);
 
     if (!ThrowIfNotConstructing(cx, args, "WeakSet"))
         return false;
 
-    RootedObject proto(cx);
-    RootedObject newTarget(cx, &args.newTarget().toObject());
-    if (!GetPrototypeFromConstructor(cx, newTarget, &proto))
-        return false;
-
-    Rooted<WeakSetObject*> obj(cx, WeakSetObject::create(cx, proto));
-    if (!obj)
-        return false;
-
     if (!args.get(0).isNullOrUndefined()) {
         RootedObject map(cx, &obj->getReservedSlot(WEAKSET_MAP_SLOT).toObject());
 

diff --git a/js/src/builtin/WeakSetObject.h b/js/src/builtin/WeakSetObject.h
@@ -23,7 +23,7 @@ class WeakSetObject : public NativeObject
     static const JSPropertySpec properties[];
     static const JSFunctionSpec methods[];
 
-    static WeakSetObject* create(JSContext* cx, HandleObject proto = nullptr);
+    static WeakSetObject* create(JSContext* cx);
     static bool construct(JSContext* cx, unsigned argc, Value* vp);
 };
 

diff --git a/js/src/jit-test/tests/TypedObject/bug976697.js b/js/src/jit-test/tests/TypedObject/bug976697.js
@@ -0,0 +1,15 @@
+// Test that instantiating a typed array on top of a neutered buffer
+// doesn't trip any asserts.
+//
+// Any copyright is dedicated to the Public Domain.
+// http://creativecommons.org/licenses/publicdomain/
+
+x = new ArrayBuffer();
+neuter(x, "same-data");
+new Uint32Array(x);
+gc();
+
+x = new ArrayBuffer();
+neuter(x, "change-data");
+new Uint32Array(x);
+gc();
diff --git a/js/src/jit/BaselineIC.cpp b/js/src/jit/BaselineIC.cpp
@@ -8278,7 +8278,7 @@ GetTemplateObjectForNative(JSContext* cx, Native native, const CallArgs& args,
 
     if (native == StringConstructor) {
         RootedString emptyString(cx, cx->runtime()->emptyString);
-        res.set(StringObject::create(cx, emptyString, /* proto = */ nullptr, TenuredObject));
+        res.set(StringObject::create(cx, emptyString, TenuredObject));
         return !!res;
     }