The Tor Browser: js/src/jsinfer.cpp@a63d609f5ebe (annotated)

js/src/jsinfer.cpp@a63d609f5ebe (annotated)

js/src/jsinfer.cpp

Thu, 15 Jan 2015 15:55:04 +0100

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Thu, 15 Jan 2015 15:55:04 +0100
branch: TOR_BUG_9701
changeset 9: a63d609f5ebe
permissions: -rw-r--r--

Back out 97036ab72558 which inappropriately compared turds to third parties.

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*-
  * vim: set ts=8 sts=4 et sw=4 tw=99:
  * This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 #include "jsinferinlines.h"
 #include "mozilla/DebugOnly.h"
 #include "mozilla/MemoryReporting.h"
 #include "mozilla/PodOperations.h"
 #include "jsapi.h"
 #include "jscntxt.h"
 #include "jsgc.h"
 #include "jshashutil.h"
 #include "jsobj.h"
 #include "jsprf.h"
 #include "jsscript.h"
 #include "jsstr.h"
 #include "jsworkers.h"
 #include "prmjtime.h"
 #include "gc/Marking.h"
 #ifdef JS_ION
 #include "jit/BaselineJIT.h"
 #include "jit/Ion.h"
 #include "jit/IonAnalysis.h"
 #include "jit/JitCompartment.h"
 #endif
 #include "js/MemoryMetrics.h"
 #include "vm/Opcodes.h"
 #include "vm/Shape.h"
 #include "jsatominlines.h"
 #include "jsgcinlines.h"
 #include "jsobjinlines.h"
 #include "jsscriptinlines.h"
 #include "jit/ExecutionMode-inl.h"
 using namespace js;
 using namespace js::gc;
 using namespace js::types;
 using namespace js::analyze;
 using mozilla::DebugOnly;
 using mozilla::Maybe;
 using mozilla::PodArrayZero;
 using mozilla::PodCopy;
 using mozilla::PodZero;
 static inline jsid
 id_prototype(JSContext *cx) {
     return NameToId(cx->names().prototype);
 }
 static inline jsid
 id___proto__(JSContext *cx) {
     return NameToId(cx->names().proto);
 }
 static inline jsid
 id_constructor(JSContext *cx) {
     return NameToId(cx->names().constructor);
 }
 static inline jsid
 id_caller(JSContext *cx) {
     return NameToId(cx->names().caller);
 }
 #ifdef DEBUG
 const char *
 types::TypeIdStringImpl(jsid id)
 {
     if (JSID_IS_VOID(id))
         return "(index)";
     if (JSID_IS_EMPTY(id))
         return "(new)";
     static char bufs[4][100];
     static unsigned which = 0;
     which = (which + 1) & 3;
     PutEscapedString(bufs[which], 100, JSID_TO_FLAT_STRING(id), 0);
     return bufs[which];
 }
 #endif
 /////////////////////////////////////////////////////////////////////
 // Logging
 /////////////////////////////////////////////////////////////////////
 #ifdef DEBUG
 static bool InferSpewActive(SpewChannel channel)
 {
     static bool active[SPEW_COUNT];
     static bool checked = false;
     if (!checked) {
         checked = true;
         PodArrayZero(active);
         const char *env = getenv("INFERFLAGS");
         if (!env)
             return false;
         if (strstr(env, "ops"))
             active[ISpewOps] = true;
         if (strstr(env, "result"))
             active[ISpewResult] = true;
         if (strstr(env, "full")) {
             for (unsigned i = 0; i < SPEW_COUNT; i++)
                 active[i] = true;
         }
     }
     return active[channel];
 }
 static bool InferSpewColorable()
 {
     /* Only spew colors on xterm-color to not screw up emacs. */
     static bool colorable = false;
     static bool checked = false;
     if (!checked) {
         checked = true;
         const char *env = getenv("TERM");
         if (!env)
             return false;
         if (strcmp(env, "xterm-color") == 0 || strcmp(env, "xterm-256color") == 0)
             colorable = true;
     }
     return colorable;
 }
 const char *
 types::InferSpewColorReset()
 {
     if (!InferSpewColorable())
         return "";
     return "\x1b[0m";
 }
 const char *
 types::InferSpewColor(TypeConstraint *constraint)
 {
     /* Type constraints are printed out using foreground colors. */
     static const char * const colors[] = { "\x1b[31m", "\x1b[32m", "\x1b[33m",
                                            "\x1b[34m", "\x1b[35m", "\x1b[36m",
                                            "\x1b[37m" };
     if (!InferSpewColorable())
         return "";
     return colors[DefaultHasher<TypeConstraint *>::hash(constraint) % 7];
 }
 const char *
 types::InferSpewColor(TypeSet *types)
 {
     /* Type sets are printed out using bold colors. */
     static const char * const colors[] = { "\x1b[1;31m", "\x1b[1;32m", "\x1b[1;33m",
                                            "\x1b[1;34m", "\x1b[1;35m", "\x1b[1;36m",
                                            "\x1b[1;37m" };
     if (!InferSpewColorable())
         return "";
     return colors[DefaultHasher<TypeSet *>::hash(types) % 7];
 }
 const char *
 types::TypeString(Type type)
 {
     if (type.isPrimitive()) {
         switch (type.primitive()) {
           case JSVAL_TYPE_UNDEFINED:
             return "void";
           case JSVAL_TYPE_NULL:
             return "null";
           case JSVAL_TYPE_BOOLEAN:
             return "bool";
           case JSVAL_TYPE_INT32:
             return "int";
           case JSVAL_TYPE_DOUBLE:
             return "float";
           case JSVAL_TYPE_STRING:
             return "string";
           case JSVAL_TYPE_MAGIC:
             return "lazyargs";
           default:
             MOZ_ASSUME_UNREACHABLE("Bad type");
         }
     }
     if (type.isUnknown())
         return "unknown";
     if (type.isAnyObject())
         return " object";
     static char bufs[4][40];
     static unsigned which = 0;
     which = (which + 1) & 3;
     if (type.isSingleObject())
         JS_snprintf(bufs[which], 40, "<0x%p>", (void *) type.singleObject());
     else
         JS_snprintf(bufs[which], 40, "[0x%p]", (void *) type.typeObject());
     return bufs[which];
 }
 const char *
 types::TypeObjectString(TypeObject *type)
 {
     return TypeString(Type::ObjectType(type));
 }
 unsigned JSScript::id() {
     if (!id_) {
         id_ = ++compartment()->types.scriptCount;
         InferSpew(ISpewOps, "script #%u: %p %s:%d",
                   id_, this, filename() ? filename() : "<null>", lineno());
     }
     return id_;
 }
 void
 types::InferSpew(SpewChannel channel, const char *fmt, ...)
 {
     if (!InferSpewActive(channel))
         return;
     va_list ap;
     va_start(ap, fmt);
     fprintf(stderr, "[infer] ");
     vfprintf(stderr, fmt, ap);
     fprintf(stderr, "\n");
     va_end(ap);
 }
 bool
 types::TypeHasProperty(JSContext *cx, TypeObject *obj, jsid id, const Value &value)
 {
     /*
      * Check the correctness of the type information in the object's property
      * against an actual value.
      */
     if (!obj->unknownProperties() && !value.isUndefined()) {
         id = IdToTypeId(id);
         /* Watch for properties which inference does not monitor. */
         if (id == id___proto__(cx) || id == id_constructor(cx) || id == id_caller(cx))
             return true;
         Type type = GetValueType(value);
         AutoEnterAnalysis enter(cx);
         /*
          * We don't track types for properties inherited from prototypes which
          * haven't yet been accessed during analysis of the inheriting object.
          * Don't do the property instantiation now.
          */
         TypeSet *types = obj->maybeGetProperty(id);
         if (!types)
             return true;
         if (!types->hasType(type)) {
             TypeFailure(cx, "Missing type in object %s %s: %s",
                         TypeObjectString(obj), TypeIdString(id), TypeString(type));
         }
     }
     return true;
 }
 #endif
 void
 types::TypeFailure(JSContext *cx, const char *fmt, ...)
 {
     char msgbuf[1024]; /* Larger error messages will be truncated */
     char errbuf[1024];
     va_list ap;
     va_start(ap, fmt);
     JS_vsnprintf(errbuf, sizeof(errbuf), fmt, ap);
     va_end(ap);
     JS_snprintf(msgbuf, sizeof(msgbuf), "[infer failure] %s", errbuf);
     /* Dump type state, even if INFERFLAGS is unset. */
     cx->compartment()->types.print(cx, true);
     MOZ_ReportAssertionFailure(msgbuf, __FILE__, __LINE__);
     MOZ_CRASH();
 }
 /////////////////////////////////////////////////////////////////////
 // TypeSet
 /////////////////////////////////////////////////////////////////////
 TemporaryTypeSet::TemporaryTypeSet(Type type)
 {
     if (type.isUnknown()) {
         flags |= TYPE_FLAG_BASE_MASK;
     } else if (type.isPrimitive()) {
         flags = PrimitiveTypeFlag(type.primitive());
         if (flags == TYPE_FLAG_DOUBLE)
             flags |= TYPE_FLAG_INT32;
     } else if (type.isAnyObject()) {
         flags |= TYPE_FLAG_ANYOBJECT;
     } else  if (type.isTypeObject() && type.typeObject()->unknownProperties()) {
         flags |= TYPE_FLAG_ANYOBJECT;
     } else {
         setBaseObjectCount(1);
         objectSet = reinterpret_cast<TypeObjectKey**>(type.objectKey());
     }
 }
 bool
 TypeSet::mightBeMIRType(jit::MIRType type)
 {
     if (unknown())
         return true;
     if (type == jit::MIRType_Object)
         return unknownObject() || baseObjectCount() != 0;
     switch (type) {
       case jit::MIRType_Undefined:
         return baseFlags() & TYPE_FLAG_UNDEFINED;
       case jit::MIRType_Null:
         return baseFlags() & TYPE_FLAG_NULL;
       case jit::MIRType_Boolean:
         return baseFlags() & TYPE_FLAG_BOOLEAN;
       case jit::MIRType_Int32:
         return baseFlags() & TYPE_FLAG_INT32;
       case jit::MIRType_Float32: // Fall through, there's no JSVAL for Float32.
       case jit::MIRType_Double:
         return baseFlags() & TYPE_FLAG_DOUBLE;
       case jit::MIRType_String:
         return baseFlags() & TYPE_FLAG_STRING;
       case jit::MIRType_MagicOptimizedArguments:
         return baseFlags() & TYPE_FLAG_LAZYARGS;
       case jit::MIRType_MagicHole:
       case jit::MIRType_MagicIsConstructing:
         // These magic constants do not escape to script and are not observed
         // in the type sets.
         //
         // The reason we can return false here is subtle: if Ion is asking the
         // type set if it has seen such a magic constant, then the MIR in
         // question is the most generic type, MIRType_Value. A magic constant
         // could only be emitted by a MIR of MIRType_Value if that MIR is a
         // phi, and we check that different magic constants do not flow to the
         // same join point in GuessPhiType.
         return false;
       default:
         MOZ_ASSUME_UNREACHABLE("Bad MIR type");
     }
 }
 bool
 TypeSet::isSubset(TypeSet *other)
 {
     if ((baseFlags() & other->baseFlags()) != baseFlags())
         return false;
     if (unknownObject()) {
         JS_ASSERT(other->unknownObject());
     } else {
         for (unsigned i = 0; i < getObjectCount(); i++) {
             TypeObjectKey *obj = getObject(i);
             if (!obj)
                 continue;
             if (!other->hasType(Type::ObjectType(obj)))
                 return false;
         }
     }
     return true;
 }
 bool
 TypeSet::enumerateTypes(TypeList *list)
 {
     /* If any type is possible, there's no need to worry about specifics. */
     if (flags & TYPE_FLAG_UNKNOWN)
         return list->append(Type::UnknownType());
     /* Enqueue type set members stored as bits. */
     for (TypeFlags flag = 1; flag < TYPE_FLAG_ANYOBJECT; flag <<= 1) {
         if (flags & flag) {
             Type type = Type::PrimitiveType(TypeFlagPrimitive(flag));
             if (!list->append(type))
                 return false;
         }
     }
     /* If any object is possible, skip specifics. */
     if (flags & TYPE_FLAG_ANYOBJECT)
         return list->append(Type::AnyObjectType());
     /* Enqueue specific object types. */
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         TypeObjectKey *object = getObject(i);
         if (object) {
             if (!list->append(Type::ObjectType(object)))
                 return false;
         }
     }
     return true;
 }
 inline bool
 TypeSet::addTypesToConstraint(JSContext *cx, TypeConstraint *constraint)
 {
     /*
      * Build all types in the set into a vector before triggering the
      * constraint, as doing so may modify this type set.
      */
     TypeList types;
     if (!enumerateTypes(&types))
         return false;
     for (unsigned i = 0; i < types.length(); i++)
         constraint->newType(cx, this, types[i]);
     return true;
 }
 bool
 ConstraintTypeSet::addConstraint(JSContext *cx, TypeConstraint *constraint, bool callExisting)
 {
     if (!constraint) {
         /* OOM failure while constructing the constraint. */
         return false;
     }
     JS_ASSERT(cx->compartment()->activeAnalysis);
     InferSpew(ISpewOps, "addConstraint: %sT%p%s %sC%p%s %s",
               InferSpewColor(this), this, InferSpewColorReset(),
               InferSpewColor(constraint), constraint, InferSpewColorReset(),
               constraint->kind());
     JS_ASSERT(constraint->next == nullptr);
     constraint->next = constraintList;
     constraintList = constraint;
     if (callExisting)
         return addTypesToConstraint(cx, constraint);
     return true;
 }
 void
 TypeSet::clearObjects()
 {
     setBaseObjectCount(0);
     objectSet = nullptr;
 }
 void
 TypeSet::addType(Type type, LifoAlloc *alloc)
 {
     if (unknown())
         return;
     if (type.isUnknown()) {
         flags |= TYPE_FLAG_BASE_MASK;
         clearObjects();
         JS_ASSERT(unknown());
         return;
     }
     if (type.isPrimitive()) {
         TypeFlags flag = PrimitiveTypeFlag(type.primitive());
         if (flags & flag)
             return;
         /* If we add float to a type set it is also considered to contain int. */
         if (flag == TYPE_FLAG_DOUBLE)
             flag |= TYPE_FLAG_INT32;
         flags |= flag;
         return;
     }
     if (flags & TYPE_FLAG_ANYOBJECT)
         return;
     if (type.isAnyObject())
         goto unknownObject;
     {
         uint32_t objectCount = baseObjectCount();
         TypeObjectKey *object = type.objectKey();
         TypeObjectKey **pentry = HashSetInsert<TypeObjectKey *,TypeObjectKey,TypeObjectKey>
                                      (*alloc, objectSet, objectCount, object);
         if (!pentry)
             goto unknownObject;
         if (*pentry)
             return;
         *pentry = object;
         setBaseObjectCount(objectCount);
         if (objectCount == TYPE_FLAG_OBJECT_COUNT_LIMIT)
             goto unknownObject;
     }
     if (type.isTypeObject()) {
         TypeObject *nobject = type.typeObject();
         JS_ASSERT(!nobject->singleton());
         if (nobject->unknownProperties())
             goto unknownObject;
     }
     if (false) {
     unknownObject:
         flags |= TYPE_FLAG_ANYOBJECT;
         clearObjects();
     }
 }
 void
 ConstraintTypeSet::addType(ExclusiveContext *cxArg, Type type)
 {
     JS_ASSERT(cxArg->compartment()->activeAnalysis);
     if (hasType(type))
         return;
     TypeSet::addType(type, &cxArg->typeLifoAlloc());
     if (type.isObjectUnchecked() && unknownObject())
         type = Type::AnyObjectType();
     InferSpew(ISpewOps, "addType: %sT%p%s %s",
               InferSpewColor(this), this, InferSpewColorReset(),
               TypeString(type));
     /* Propagate the type to all constraints. */
     if (JSContext *cx = cxArg->maybeJSContext()) {
         TypeConstraint *constraint = constraintList;
         while (constraint) {
             constraint->newType(cx, this, type);
             constraint = constraint->next;
         }
     } else {
         JS_ASSERT(!constraintList);
     }
 }
 void
 TypeSet::print()
 {
     if (flags & TYPE_FLAG_NON_DATA_PROPERTY)
         fprintf(stderr, " [non-data]");
     if (flags & TYPE_FLAG_NON_WRITABLE_PROPERTY)
         fprintf(stderr, " [non-writable]");
     if (definiteProperty())
         fprintf(stderr, " [definite:%d]", definiteSlot());
     if (baseFlags() == 0 && !baseObjectCount()) {
         fprintf(stderr, " missing");
         return;
     }
     if (flags & TYPE_FLAG_UNKNOWN)
         fprintf(stderr, " unknown");
     if (flags & TYPE_FLAG_ANYOBJECT)
         fprintf(stderr, " object");
     if (flags & TYPE_FLAG_UNDEFINED)
         fprintf(stderr, " void");
     if (flags & TYPE_FLAG_NULL)
         fprintf(stderr, " null");
     if (flags & TYPE_FLAG_BOOLEAN)
         fprintf(stderr, " bool");
     if (flags & TYPE_FLAG_INT32)
         fprintf(stderr, " int");
     if (flags & TYPE_FLAG_DOUBLE)
         fprintf(stderr, " float");
     if (flags & TYPE_FLAG_STRING)
         fprintf(stderr, " string");
     if (flags & TYPE_FLAG_LAZYARGS)
         fprintf(stderr, " lazyargs");
     uint32_t objectCount = baseObjectCount();
     if (objectCount) {
         fprintf(stderr, " object[%u]", objectCount);
         unsigned count = getObjectCount();
         for (unsigned i = 0; i < count; i++) {
             TypeObjectKey *object = getObject(i);
             if (object)
                 fprintf(stderr, " %s", TypeString(Type::ObjectType(object)));
         }
     }
 }
 bool
 TypeSet::clone(LifoAlloc *alloc, TemporaryTypeSet *result) const
 {
     JS_ASSERT(result->empty());
     unsigned objectCount = baseObjectCount();
     unsigned capacity = (objectCount >= 2) ? HashSetCapacity(objectCount) : 0;
     TypeObjectKey **newSet;
     if (capacity) {
         newSet = alloc->newArray<TypeObjectKey*>(capacity);
         if (!newSet)
             return false;
         PodCopy(newSet, objectSet, capacity);
     }
     new(result) TemporaryTypeSet(flags, capacity ? newSet : objectSet);
     return true;
 }
 TemporaryTypeSet *
 TypeSet::clone(LifoAlloc *alloc) const
 {
     TemporaryTypeSet *res = alloc->new_<TemporaryTypeSet>();
     if (!res || !clone(alloc, res))
         return nullptr;
     return res;
 }
 TemporaryTypeSet *
 TypeSet::filter(LifoAlloc *alloc, bool filterUndefined, bool filterNull) const
 {
     TemporaryTypeSet *res = clone(alloc);
     if (!res)
         return nullptr;
     if (filterUndefined)
         res->flags = res->flags & ~TYPE_FLAG_UNDEFINED;
     if (filterNull)
         res->flags = res->flags & ~TYPE_FLAG_NULL;
     return res;
 }
 /* static */ TemporaryTypeSet *
 TypeSet::unionSets(TypeSet *a, TypeSet *b, LifoAlloc *alloc)
 {
     TemporaryTypeSet *res = alloc->new_<TemporaryTypeSet>(a->baseFlags() | b->baseFlags(),
                                                           static_cast<TypeObjectKey**>(nullptr));
     if (!res)
         return nullptr;
     if (!res->unknownObject()) {
         for (size_t i = 0; i < a->getObjectCount() && !res->unknownObject(); i++) {
             if (TypeObjectKey *key = a->getObject(i))
                 res->addType(Type::ObjectType(key), alloc);
         }
         for (size_t i = 0; i < b->getObjectCount() && !res->unknownObject(); i++) {
             if (TypeObjectKey *key = b->getObject(i))
                 res->addType(Type::ObjectType(key), alloc);
         }
     }
     return res;
 }
 /////////////////////////////////////////////////////////////////////
 // Compiler constraints
 /////////////////////////////////////////////////////////////////////
 // Compiler constraints overview
 //
 // Constraints generated during Ion compilation capture assumptions made about
 // heap properties that will trigger invalidation of the resulting Ion code if
 // the constraint is violated. Constraints can only be attached to type sets on
 // the main thread, so to allow compilation to occur almost entirely off thread
 // the generation is split into two phases.
 //
 // During compilation, CompilerConstraint values are constructed in a list,
 // recording the heap property type set which was read from and its expected
 // contents, along with the assumption made about those contents.
 //
 // At the end of compilation, when linking the result on the main thread, the
 // list of compiler constraints are read and converted to type constraints and
 // attached to the type sets. If the property type sets have changed so that the
 // assumptions no longer hold then the compilation is aborted and its result
 // discarded.
 // Superclass of all constraints generated during Ion compilation. These may
 // be allocated off the main thread, using the current Ion context's allocator.
 class CompilerConstraint
 {
   public:
     // Property being queried by the compiler.
     HeapTypeSetKey property;
     // Contents of the property at the point when the query was performed. This
     // may differ from the actual property types later in compilation as the
     // main thread performs side effects.
     TemporaryTypeSet *expected;
     CompilerConstraint(LifoAlloc *alloc, const HeapTypeSetKey &property)
       : property(property),
         expected(property.maybeTypes() ? property.maybeTypes()->clone(alloc) : nullptr)
     {}
     // Generate the type constraint recording the assumption made by this
     // compilation. Returns true if the assumption originally made still holds.
     virtual bool generateTypeConstraint(JSContext *cx, RecompileInfo recompileInfo) = 0;
 };
 class types::CompilerConstraintList
 {
   public:
     struct FrozenScript
     {
         JSScript *script;
         TemporaryTypeSet *thisTypes;
         TemporaryTypeSet *argTypes;
         TemporaryTypeSet *bytecodeTypes;
     };
   private:
     // OOM during generation of some constraint.
     bool failed_;
 #ifdef JS_ION
     // Allocator used for constraints.
     LifoAlloc *alloc_;
     // Constraints generated on heap properties.
     Vector<CompilerConstraint *, 0, jit::IonAllocPolicy> constraints;
     // Scripts whose stack type sets were frozen for the compilation.
     Vector<FrozenScript, 1, jit::IonAllocPolicy> frozenScripts;
 #endif
   public:
     CompilerConstraintList(jit::TempAllocator &alloc)
       : failed_(false)
 #ifdef JS_ION
       , alloc_(alloc.lifoAlloc())
       , constraints(alloc)
       , frozenScripts(alloc)
 #endif
     {}
     void add(CompilerConstraint *constraint) {
 #ifdef JS_ION
         if (!constraint || !constraints.append(constraint))
             setFailed();
 #else
         MOZ_CRASH();
 #endif
     }
     void freezeScript(JSScript *script,
                       TemporaryTypeSet *thisTypes,
                       TemporaryTypeSet *argTypes,
                       TemporaryTypeSet *bytecodeTypes)
     {
 #ifdef JS_ION
         FrozenScript entry;
         entry.script = script;
         entry.thisTypes = thisTypes;
         entry.argTypes = argTypes;
         entry.bytecodeTypes = bytecodeTypes;
         if (!frozenScripts.append(entry))
             setFailed();
 #else
         MOZ_CRASH();
 #endif
     }
     size_t length() {
 #ifdef JS_ION
         return constraints.length();
 #else
         MOZ_CRASH();
 #endif
     }
     CompilerConstraint *get(size_t i) {
 #ifdef JS_ION
         return constraints[i];
 #else
         MOZ_CRASH();
 #endif
     }
     size_t numFrozenScripts() {
 #ifdef JS_ION
         return frozenScripts.length();
 #else
         MOZ_CRASH();
 #endif
     }
     const FrozenScript &frozenScript(size_t i) {
 #ifdef JS_ION
         return frozenScripts[i];
 #else
         MOZ_CRASH();
 #endif
     }
     bool failed() {
         return failed_;
     }
     void setFailed() {
         failed_ = true;
     }
     LifoAlloc *alloc() const {
 #ifdef JS_ION
         return alloc_;
 #else
         MOZ_CRASH();
 #endif
     }
 };
 CompilerConstraintList *
 types::NewCompilerConstraintList(jit::TempAllocator &alloc)
 {
 #ifdef JS_ION
     return alloc.lifoAlloc()->new_<CompilerConstraintList>(alloc);
 #else
     MOZ_CRASH();
 #endif
 }
 /* static */ bool
 TypeScript::FreezeTypeSets(CompilerConstraintList *constraints, JSScript *script,
                            TemporaryTypeSet **pThisTypes,
                            TemporaryTypeSet **pArgTypes,
                            TemporaryTypeSet **pBytecodeTypes)
 {
     LifoAlloc *alloc = constraints->alloc();
     StackTypeSet *existing = script->types->typeArray();
     size_t count = NumTypeSets(script);
     TemporaryTypeSet *types = alloc->newArrayUninitialized<TemporaryTypeSet>(count);
     if (!types)
         return false;
     PodZero(types, count);
     for (size_t i = 0; i < count; i++) {
         if (!existing[i].clone(alloc, &types[i]))
             return false;
     }
     *pThisTypes = types + (ThisTypes(script) - existing);
     *pArgTypes = (script->functionNonDelazifying() && script->functionNonDelazifying()->nargs())
                  ? (types + (ArgTypes(script, 0) - existing))
                  : nullptr;
     *pBytecodeTypes = types;
     constraints->freezeScript(script, *pThisTypes, *pArgTypes, *pBytecodeTypes);
     return true;
 }
 namespace {
 template <typename T>
 class CompilerConstraintInstance : public CompilerConstraint
 {
     T data;
   public:
     CompilerConstraintInstance<T>(LifoAlloc *alloc, const HeapTypeSetKey &property, const T &data)
       : CompilerConstraint(alloc, property), data(data)
     {}
     bool generateTypeConstraint(JSContext *cx, RecompileInfo recompileInfo);
 };
 // Constraint generated from a CompilerConstraint when linking the compilation.
 template <typename T>
 class TypeCompilerConstraint : public TypeConstraint
 {
     // Compilation which this constraint may invalidate.
     RecompileInfo compilation;
     T data;
   public:
     TypeCompilerConstraint<T>(RecompileInfo compilation, const T &data)
       : compilation(compilation), data(data)
     {}
     const char *kind() { return data.kind(); }
     void newType(JSContext *cx, TypeSet *source, Type type) {
         if (data.invalidateOnNewType(type))
             cx->zone()->types.addPendingRecompile(cx, compilation);
     }
     void newPropertyState(JSContext *cx, TypeSet *source) {
         if (data.invalidateOnNewPropertyState(source))
             cx->zone()->types.addPendingRecompile(cx, compilation);
     }
     void newObjectState(JSContext *cx, TypeObject *object) {
         // Note: Once the object has unknown properties, no more notifications
         // will be sent on changes to its state, so always invalidate any
         // associated compilations.
         if (object->unknownProperties() || data.invalidateOnNewObjectState(object))
             cx->zone()->types.addPendingRecompile(cx, compilation);
     }
     bool sweep(TypeZone &zone, TypeConstraint **res) {
         if (data.shouldSweep() || compilation.shouldSweep(zone))
             return false;
         *res = zone.typeLifoAlloc.new_<TypeCompilerConstraint<T> >(compilation, data);
         return true;
     }
 };
 template <typename T>
 bool
 CompilerConstraintInstance<T>::generateTypeConstraint(JSContext *cx, RecompileInfo recompileInfo)
 {
     if (property.object()->unknownProperties())
         return false;
     if (!property.instantiate(cx))
         return false;
     if (!data.constraintHolds(cx, property, expected))
         return false;
     return property.maybeTypes()->addConstraint(cx, cx->typeLifoAlloc().new_<TypeCompilerConstraint<T> >(recompileInfo, data),
                                                 /* callExisting = */ false);
 }
 } /* anonymous namespace */
 const Class *
 TypeObjectKey::clasp()
 {
     return isTypeObject() ? asTypeObject()->clasp() : asSingleObject()->getClass();
 }
 TaggedProto
 TypeObjectKey::proto()
 {
     JS_ASSERT(hasTenuredProto());
     return isTypeObject() ? asTypeObject()->proto() : asSingleObject()->getTaggedProto();
 }
 bool
 ObjectImpl::hasTenuredProto() const
 {
     return type_->hasTenuredProto();
 }
 bool
 TypeObjectKey::hasTenuredProto()
 {
     return isTypeObject() ? asTypeObject()->hasTenuredProto() : asSingleObject()->hasTenuredProto();
 }
 JSObject *
 TypeObjectKey::singleton()
 {
     return isTypeObject() ? asTypeObject()->singleton() : asSingleObject();
 }
 TypeNewScript *
 TypeObjectKey::newScript()
 {
     if (isTypeObject() && asTypeObject()->hasNewScript())
         return asTypeObject()->newScript();
     return nullptr;
 }
 TypeObject *
 TypeObjectKey::maybeType()
 {
     if (isTypeObject())
         return asTypeObject();
     if (asSingleObject()->hasLazyType())
         return nullptr;
     return asSingleObject()->type();
 }
 bool
 TypeObjectKey::unknownProperties()
 {
     if (TypeObject *type = maybeType())
         return type->unknownProperties();
     return false;
 }
 HeapTypeSetKey
 TypeObjectKey::property(jsid id)
 {
     JS_ASSERT(!unknownProperties());
     HeapTypeSetKey property;
     property.object_ = this;
     property.id_ = id;
     if (TypeObject *type = maybeType())
         property.maybeTypes_ = type->maybeGetProperty(id);
     return property;
 }
 void
 TypeObjectKey::ensureTrackedProperty(JSContext *cx, jsid id)
 {
 #ifdef JS_ION
     // If we are accessing a lazily defined property which actually exists in
     // the VM and has not been instantiated yet, instantiate it now if we are
     // on the main thread and able to do so.
     if (!JSID_IS_VOID(id) && !JSID_IS_EMPTY(id)) {
         JS_ASSERT(CurrentThreadCanAccessRuntime(cx->runtime()));
         if (JSObject *obj = singleton()) {
             if (obj->isNative() && obj->nativeLookupPure(id))
                 EnsureTrackPropertyTypes(cx, obj, id);
         }
     }
 #endif // JS_ION
 }
 bool
 HeapTypeSetKey::instantiate(JSContext *cx)
 {
     if (maybeTypes())
         return true;
     if (object()->isSingleObject() && !object()->asSingleObject()->getType(cx)) {
         cx->clearPendingException();
         return false;
     }
     maybeTypes_ = object()->maybeType()->getProperty(cx, id());
     return maybeTypes_ != nullptr;
 }
 static bool
 CheckFrozenTypeSet(JSContext *cx, TemporaryTypeSet *frozen, StackTypeSet *actual)
 {
     // Return whether the types frozen for a script during compilation are
     // still valid. Also check for any new types added to the frozen set during
     // compilation, and add them to the actual stack type sets. These new types
     // indicate places where the compiler relaxed its possible inputs to be
     // more tolerant of potential new types.
     if (!actual->isSubset(frozen))
         return false;
     if (!frozen->isSubset(actual)) {
         TypeSet::TypeList list;
         frozen->enumerateTypes(&list);
         for (size_t i = 0; i < list.length(); i++)
             actual->addType(cx, list[i]);
     }
     return true;
 }
 namespace {
 /*
  * As for TypeConstraintFreeze, but describes an implicit freeze constraint
  * added for stack types within a script. Applies to all compilations of the
  * script, not just a single one.
  */
 class TypeConstraintFreezeStack : public TypeConstraint
 {
     JSScript *script_;
   public:
     TypeConstraintFreezeStack(JSScript *script)
         : script_(script)
     {}
     const char *kind() { return "freezeStack"; }
     void newType(JSContext *cx, TypeSet *source, Type type) {
         /*
          * Unlike TypeConstraintFreeze, triggering this constraint once does
          * not disable it on future changes to the type set.
          */
         cx->zone()->types.addPendingRecompile(cx, script_);
     }
     bool sweep(TypeZone &zone, TypeConstraint **res) {
         if (IsScriptAboutToBeFinalized(&script_))
             return false;
         *res = zone.typeLifoAlloc.new_<TypeConstraintFreezeStack>(script_);
         return true;
     }
 };
 } /* anonymous namespace */
 bool
 types::FinishCompilation(JSContext *cx, HandleScript script, ExecutionMode executionMode,
                          CompilerConstraintList *constraints, RecompileInfo *precompileInfo)
 {
     if (constraints->failed())
         return false;
     CompilerOutput co(script, executionMode);
     TypeZone &types = cx->zone()->types;
     if (!types.compilerOutputs) {
         types.compilerOutputs = cx->new_< Vector<CompilerOutput> >(cx);
         if (!types.compilerOutputs)
             return false;
     }
 #ifdef DEBUG
     for (size_t i = 0; i < types.compilerOutputs->length(); i++) {
         const CompilerOutput &co = (*types.compilerOutputs)[i];
         JS_ASSERT_IF(co.isValid(), co.script() != script || co.mode() != executionMode);
     }
 #endif
     uint32_t index = types.compilerOutputs->length();
     if (!types.compilerOutputs->append(co))
         return false;
     *precompileInfo = RecompileInfo(index);
     bool succeeded = true;
     for (size_t i = 0; i < constraints->length(); i++) {
         CompilerConstraint *constraint = constraints->get(i);
         if (!constraint->generateTypeConstraint(cx, *precompileInfo))
             succeeded = false;
     }
     for (size_t i = 0; i < constraints->numFrozenScripts(); i++) {
         const CompilerConstraintList::FrozenScript &entry = constraints->frozenScript(i);
         JS_ASSERT(entry.script->types);
         if (!CheckFrozenTypeSet(cx, entry.thisTypes, types::TypeScript::ThisTypes(entry.script)))
             succeeded = false;
         unsigned nargs = entry.script->functionNonDelazifying()
                          ? entry.script->functionNonDelazifying()->nargs()
                          : 0;
         for (size_t i = 0; i < nargs; i++) {
             if (!CheckFrozenTypeSet(cx, &entry.argTypes[i], types::TypeScript::ArgTypes(entry.script, i)))
                 succeeded = false;
         }
         for (size_t i = 0; i < entry.script->nTypeSets(); i++) {
             if (!CheckFrozenTypeSet(cx, &entry.bytecodeTypes[i], &entry.script->types->typeArray()[i]))
                 succeeded = false;
         }
         // If necessary, add constraints to trigger invalidation on the script
         // after any future changes to the stack type sets.
         if (entry.script->hasFreezeConstraints())
             continue;
         entry.script->setHasFreezeConstraints();
         size_t count = TypeScript::NumTypeSets(entry.script);
         StackTypeSet *array = entry.script->types->typeArray();
         for (size_t i = 0; i < count; i++) {
             if (!array[i].addConstraint(cx, cx->typeLifoAlloc().new_<TypeConstraintFreezeStack>(entry.script), false))
                 succeeded = false;
         }
     }
     if (!succeeded || types.compilerOutputs->back().pendingInvalidation()) {
         types.compilerOutputs->back().invalidate();
         script->resetUseCount();
         return false;
     }
     return true;
 }
 static void
 CheckDefinitePropertiesTypeSet(JSContext *cx, TemporaryTypeSet *frozen, StackTypeSet *actual)
 {
     // The definite properties analysis happens on the main thread, so no new
     // types can have been added to actual. The analysis may have updated the
     // contents of |frozen| though with new speculative types, and these need
     // to be reflected in |actual| for AddClearDefiniteFunctionUsesInScript
     // to work.
     if (!frozen->isSubset(actual)) {
         TypeSet::TypeList list;
         frozen->enumerateTypes(&list);
         for (size_t i = 0; i < list.length(); i++)
             actual->addType(cx, list[i]);
     }
 }
 void
 types::FinishDefinitePropertiesAnalysis(JSContext *cx, CompilerConstraintList *constraints)
 {
 #ifdef DEBUG
     // Assert no new types have been added to the StackTypeSets. Do this before
     // calling CheckDefinitePropertiesTypeSet, as it may add new types to the
     // StackTypeSets and break these invariants if a script is inlined more
     // than once. See also CheckDefinitePropertiesTypeSet.
     for (size_t i = 0; i < constraints->numFrozenScripts(); i++) {
         const CompilerConstraintList::FrozenScript &entry = constraints->frozenScript(i);
         JSScript *script = entry.script;
         JS_ASSERT(script->types);
         JS_ASSERT(TypeScript::ThisTypes(script)->isSubset(entry.thisTypes));
         unsigned nargs = entry.script->functionNonDelazifying()
                          ? entry.script->functionNonDelazifying()->nargs()
                          : 0;
         for (size_t j = 0; j < nargs; j++)
             JS_ASSERT(TypeScript::ArgTypes(script, j)->isSubset(&entry.argTypes[j]));
         for (size_t j = 0; j < script->nTypeSets(); j++)
             JS_ASSERT(script->types->typeArray()[j].isSubset(&entry.bytecodeTypes[j]));
     }
 #endif
     for (size_t i = 0; i < constraints->numFrozenScripts(); i++) {
         const CompilerConstraintList::FrozenScript &entry = constraints->frozenScript(i);
         JSScript *script = entry.script;
         JS_ASSERT(script->types);
         if (!script->types)
             MOZ_CRASH();
         CheckDefinitePropertiesTypeSet(cx, entry.thisTypes, TypeScript::ThisTypes(script));
         unsigned nargs = script->functionNonDelazifying()
                          ? script->functionNonDelazifying()->nargs()
                          : 0;
         for (size_t j = 0; j < nargs; j++)
             CheckDefinitePropertiesTypeSet(cx, &entry.argTypes[j], TypeScript::ArgTypes(script, j));
         for (size_t j = 0; j < script->nTypeSets(); j++)
             CheckDefinitePropertiesTypeSet(cx, &entry.bytecodeTypes[j], &script->types->typeArray()[j]);
     }
 }
 namespace {
 // Constraint which triggers recompilation of a script if any type is added to a type set. */
 class ConstraintDataFreeze
 {
   public:
     ConstraintDataFreeze() {}
     const char *kind() { return "freeze"; }
     bool invalidateOnNewType(Type type) { return true; }
     bool invalidateOnNewPropertyState(TypeSet *property) { return true; }
     bool invalidateOnNewObjectState(TypeObject *object) { return false; }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return expected
                ? property.maybeTypes()->isSubset(expected)
                : property.maybeTypes()->empty();
     }
     bool shouldSweep() { return false; }
 };
 } /* anonymous namespace */
 void
 HeapTypeSetKey::freeze(CompilerConstraintList *constraints)
 {
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreeze> T;
     constraints->add(alloc->new_<T>(alloc, *this, ConstraintDataFreeze()));
 }
 static inline jit::MIRType
 GetMIRTypeFromTypeFlags(TypeFlags flags)
 {
     switch (flags) {
       case TYPE_FLAG_UNDEFINED:
         return jit::MIRType_Undefined;
       case TYPE_FLAG_NULL:
         return jit::MIRType_Null;
       case TYPE_FLAG_BOOLEAN:
         return jit::MIRType_Boolean;
       case TYPE_FLAG_INT32:
         return jit::MIRType_Int32;
       case (TYPE_FLAG_INT32 | TYPE_FLAG_DOUBLE):
         return jit::MIRType_Double;
       case TYPE_FLAG_STRING:
         return jit::MIRType_String;
       case TYPE_FLAG_LAZYARGS:
         return jit::MIRType_MagicOptimizedArguments;
       case TYPE_FLAG_ANYOBJECT:
         return jit::MIRType_Object;
       default:
         return jit::MIRType_Value;
     }
 }
 jit::MIRType
 TemporaryTypeSet::getKnownMIRType()
 {
     TypeFlags flags = baseFlags();
     jit::MIRType type;
     if (baseObjectCount())
         type = flags ? jit::MIRType_Value : jit::MIRType_Object;
     else
         type = GetMIRTypeFromTypeFlags(flags);
     /*
      * If the type set is totally empty then it will be treated as unknown,
      * but we still need to record the dependency as adding a new type can give
      * it a definite type tag. This is not needed if there are enough types
      * that the exact tag is unknown, as it will stay unknown as more types are
      * added to the set.
      */
     DebugOnly<bool> empty = flags == 0 && baseObjectCount() == 0;
     JS_ASSERT_IF(empty, type == jit::MIRType_Value);
     return type;
 }
 jit::MIRType
 HeapTypeSetKey::knownMIRType(CompilerConstraintList *constraints)
 {
     TypeSet *types = maybeTypes();
     if (!types || types->unknown())
         return jit::MIRType_Value;
     TypeFlags flags = types->baseFlags() & ~TYPE_FLAG_ANYOBJECT;
     jit::MIRType type;
     if (types->unknownObject() || types->getObjectCount())
         type = flags ? jit::MIRType_Value : jit::MIRType_Object;
     else
         type = GetMIRTypeFromTypeFlags(flags);
     if (type != jit::MIRType_Value)
         freeze(constraints);
     /*
      * If the type set is totally empty then it will be treated as unknown,
      * but we still need to record the dependency as adding a new type can give
      * it a definite type tag. This is not needed if there are enough types
      * that the exact tag is unknown, as it will stay unknown as more types are
      * added to the set.
      */
     JS_ASSERT_IF(types->empty(), type == jit::MIRType_Value);
     return type;
 }
 bool
 HeapTypeSetKey::isOwnProperty(CompilerConstraintList *constraints)
 {
     if (maybeTypes() && (!maybeTypes()->empty() || maybeTypes()->nonDataProperty()))
         return true;
     if (JSObject *obj = object()->singleton()) {
         if (CanHaveEmptyPropertyTypesForOwnProperty(obj))
             return true;
     }
     freeze(constraints);
     return false;
 }
 bool
 HeapTypeSetKey::knownSubset(CompilerConstraintList *constraints, const HeapTypeSetKey &other)
 {
     if (!maybeTypes() || maybeTypes()->empty()) {
         freeze(constraints);
         return true;
     }
     if (!other.maybeTypes() || !maybeTypes()->isSubset(other.maybeTypes()))
         return false;
     freeze(constraints);
     return true;
 }
 JSObject *
 TemporaryTypeSet::getSingleton()
 {
     if (baseFlags() != 0 || baseObjectCount() != 1)
         return nullptr;
     return getSingleObject(0);
 }
 JSObject *
 HeapTypeSetKey::singleton(CompilerConstraintList *constraints)
 {
     HeapTypeSet *types = maybeTypes();
     if (!types || types->nonDataProperty() || types->baseFlags() != 0 || types->getObjectCount() != 1)
         return nullptr;
     JSObject *obj = types->getSingleObject(0);
     if (obj)
         freeze(constraints);
     return obj;
 }
 bool
 HeapTypeSetKey::needsBarrier(CompilerConstraintList *constraints)
 {
     TypeSet *types = maybeTypes();
     if (!types)
         return false;
     bool result = types->unknownObject()
                || types->getObjectCount() > 0
                || types->hasAnyFlag(TYPE_FLAG_STRING);
     if (!result)
         freeze(constraints);
     return result;
 }
 namespace {
 // Constraint which triggers recompilation if an object acquires particular flags.
 class ConstraintDataFreezeObjectFlags
 {
   public:
     // Flags we are watching for on this object.
     TypeObjectFlags flags;
     ConstraintDataFreezeObjectFlags(TypeObjectFlags flags)
       : flags(flags)
     {
         JS_ASSERT(flags);
     }
     const char *kind() { return "freezeObjectFlags"; }
     bool invalidateOnNewType(Type type) { return false; }
     bool invalidateOnNewPropertyState(TypeSet *property) { return false; }
     bool invalidateOnNewObjectState(TypeObject *object) {
         return object->hasAnyFlags(flags);
     }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return !invalidateOnNewObjectState(property.object()->maybeType());
     }
     bool shouldSweep() { return false; }
 };
 } /* anonymous namespace */
 bool
 TypeObjectKey::hasFlags(CompilerConstraintList *constraints, TypeObjectFlags flags)
 {
     JS_ASSERT(flags);
     if (TypeObject *type = maybeType()) {
         if (type->hasAnyFlags(flags))
             return true;
     }
     HeapTypeSetKey objectProperty = property(JSID_EMPTY);
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezeObjectFlags> T;
     constraints->add(alloc->new_<T>(alloc, objectProperty, ConstraintDataFreezeObjectFlags(flags)));
     return false;
 }
 bool
 TemporaryTypeSet::hasObjectFlags(CompilerConstraintList *constraints, TypeObjectFlags flags)
 {
     if (unknownObject())
         return true;
     /*
      * Treat type sets containing no objects as having all object flags,
      * to spare callers from having to check this.
      */
     if (baseObjectCount() == 0)
         return true;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         TypeObjectKey *object = getObject(i);
         if (object && object->hasFlags(constraints, flags))
             return true;
     }
     return false;
 }
 gc::InitialHeap
 TypeObject::initialHeap(CompilerConstraintList *constraints)
 {
     // If this object is not required to be pretenured but could be in the
     // future, add a constraint to trigger recompilation if the requirement
     // changes.
     if (shouldPreTenure())
         return gc::TenuredHeap;
     if (!canPreTenure())
         return gc::DefaultHeap;
     HeapTypeSetKey objectProperty = TypeObjectKey::get(this)->property(JSID_EMPTY);
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezeObjectFlags> T;
     constraints->add(alloc->new_<T>(alloc, objectProperty, ConstraintDataFreezeObjectFlags(OBJECT_FLAG_PRE_TENURE)));
     return gc::DefaultHeap;
 }
 namespace {
 // Constraint which triggers recompilation on any type change in an inlined
 // script. The freeze constraints added to stack type sets will only directly
 // invalidate the script containing those stack type sets. To invalidate code
 // for scripts into which the base script was inlined, ObjectStateChange is used.
 class ConstraintDataFreezeObjectForInlinedCall
 {
   public:
     ConstraintDataFreezeObjectForInlinedCall()
     {}
     const char *kind() { return "freezeObjectForInlinedCall"; }
     bool invalidateOnNewType(Type type) { return false; }
     bool invalidateOnNewPropertyState(TypeSet *property) { return false; }
     bool invalidateOnNewObjectState(TypeObject *object) {
         // We don't keep track of the exact dependencies the caller has on its
         // inlined scripts' type sets, so always invalidate the caller.
         return true;
     }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return true;
     }
     bool shouldSweep() { return false; }
 };
 // Constraint which triggers recompilation when the template object for a
 // type's new script changes.
 class ConstraintDataFreezeObjectForNewScriptTemplate
 {
     JSObject *templateObject;
   public:
     ConstraintDataFreezeObjectForNewScriptTemplate(JSObject *templateObject)
       : templateObject(templateObject)
     {}
     const char *kind() { return "freezeObjectForNewScriptTemplate"; }
     bool invalidateOnNewType(Type type) { return false; }
     bool invalidateOnNewPropertyState(TypeSet *property) { return false; }
     bool invalidateOnNewObjectState(TypeObject *object) {
         return !object->hasNewScript() || object->newScript()->templateObject != templateObject;
     }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return !invalidateOnNewObjectState(property.object()->maybeType());
     }
     bool shouldSweep() {
         // Note: |templateObject| is only used for equality testing.
         return false;
     }
 };
 // Constraint which triggers recompilation when a typed array's data becomes
 // invalid.
 class ConstraintDataFreezeObjectForTypedArrayData
 {
     void *viewData;
     uint32_t length;
   public:
     ConstraintDataFreezeObjectForTypedArrayData(TypedArrayObject &tarray)
       : viewData(tarray.viewData()),
         length(tarray.length())
     {}
     const char *kind() { return "freezeObjectForTypedArrayData"; }
     bool invalidateOnNewType(Type type) { return false; }
     bool invalidateOnNewPropertyState(TypeSet *property) { return false; }
     bool invalidateOnNewObjectState(TypeObject *object) {
         TypedArrayObject &tarray = object->singleton()->as<TypedArrayObject>();
         return tarray.viewData() != viewData || tarray.length() != length;
     }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return !invalidateOnNewObjectState(property.object()->maybeType());
     }
     bool shouldSweep() {
         // Note: |viewData| is only used for equality testing.
         return false;
     }
 };
 } /* anonymous namespace */
 void
 TypeObjectKey::watchStateChangeForInlinedCall(CompilerConstraintList *constraints)
 {
     HeapTypeSetKey objectProperty = property(JSID_EMPTY);
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezeObjectForInlinedCall> T;
     constraints->add(alloc->new_<T>(alloc, objectProperty, ConstraintDataFreezeObjectForInlinedCall()));
 }
 void
 TypeObjectKey::watchStateChangeForNewScriptTemplate(CompilerConstraintList *constraints)
 {
     JSObject *templateObject = asTypeObject()->newScript()->templateObject;
     HeapTypeSetKey objectProperty = property(JSID_EMPTY);
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezeObjectForNewScriptTemplate> T;
     constraints->add(alloc->new_<T>(alloc, objectProperty,
                                     ConstraintDataFreezeObjectForNewScriptTemplate(templateObject)));
 }
 void
 TypeObjectKey::watchStateChangeForTypedArrayData(CompilerConstraintList *constraints)
 {
     TypedArrayObject &tarray = asSingleObject()->as<TypedArrayObject>();
     HeapTypeSetKey objectProperty = property(JSID_EMPTY);
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezeObjectForTypedArrayData> T;
     constraints->add(alloc->new_<T>(alloc, objectProperty,
                                     ConstraintDataFreezeObjectForTypedArrayData(tarray)));
 }
 static void
 ObjectStateChange(ExclusiveContext *cxArg, TypeObject *object, bool markingUnknown)
 {
     if (object->unknownProperties())
         return;
     /* All constraints listening to state changes are on the empty id. */
     HeapTypeSet *types = object->maybeGetProperty(JSID_EMPTY);
     /* Mark as unknown after getting the types, to avoid assertion. */
     if (markingUnknown)
         object->addFlags(OBJECT_FLAG_DYNAMIC_MASK | OBJECT_FLAG_UNKNOWN_PROPERTIES);
     if (types) {
         if (JSContext *cx = cxArg->maybeJSContext()) {
             TypeConstraint *constraint = types->constraintList;
             while (constraint) {
                 constraint->newObjectState(cx, object);
                 constraint = constraint->next;
             }
         } else {
             JS_ASSERT(!types->constraintList);
         }
     }
 }
 static void
 CheckNewScriptProperties(JSContext *cx, TypeObject *type, JSFunction *fun);
 namespace {
 class ConstraintDataFreezePropertyState
 {
   public:
     enum Which {
         NON_DATA,
         NON_WRITABLE
     } which;
     ConstraintDataFreezePropertyState(Which which)
       : which(which)
     {}
     const char *kind() { return (which == NON_DATA) ? "freezeNonDataProperty" : "freezeNonWritableProperty"; }
     bool invalidateOnNewType(Type type) { return false; }
     bool invalidateOnNewPropertyState(TypeSet *property) {
         return (which == NON_DATA)
                ? property->nonDataProperty()
                : property->nonWritableProperty();
     }
     bool invalidateOnNewObjectState(TypeObject *object) { return false; }
     bool constraintHolds(JSContext *cx,
                          const HeapTypeSetKey &property, TemporaryTypeSet *expected)
     {
         return !invalidateOnNewPropertyState(property.maybeTypes());
     }
     bool shouldSweep() { return false; }
 };
 } /* anonymous namespace */
 bool
 HeapTypeSetKey::nonData(CompilerConstraintList *constraints)
 {
     if (maybeTypes() && maybeTypes()->nonDataProperty())
         return true;
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezePropertyState> T;
     constraints->add(alloc->new_<T>(alloc, *this,
                                     ConstraintDataFreezePropertyState(ConstraintDataFreezePropertyState::NON_DATA)));
     return false;
 }
 bool
 HeapTypeSetKey::nonWritable(CompilerConstraintList *constraints)
 {
     if (maybeTypes() && maybeTypes()->nonWritableProperty())
         return true;
     LifoAlloc *alloc = constraints->alloc();
     typedef CompilerConstraintInstance<ConstraintDataFreezePropertyState> T;
     constraints->add(alloc->new_<T>(alloc, *this,
                                     ConstraintDataFreezePropertyState(ConstraintDataFreezePropertyState::NON_WRITABLE)));
     return false;
 }
 bool
 TemporaryTypeSet::filtersType(const TemporaryTypeSet *other, Type filteredType) const
 {
     if (other->unknown())
         return unknown();
     for (TypeFlags flag = 1; flag < TYPE_FLAG_ANYOBJECT; flag <<= 1) {
         Type type = Type::PrimitiveType(TypeFlagPrimitive(flag));
         if (type != filteredType && other->hasType(type) && !hasType(type))
             return false;
     }
     if (other->unknownObject())
         return unknownObject();
     for (size_t i = 0; i < other->getObjectCount(); i++) {
         TypeObjectKey *key = other->getObject(i);
         if (key) {
             Type type = Type::ObjectType(key);
             if (type != filteredType && !hasType(type))
                 return false;
         }
     }
     return true;
 }
 TemporaryTypeSet::DoubleConversion
 TemporaryTypeSet::convertDoubleElements(CompilerConstraintList *constraints)
 {
     if (unknownObject() || !getObjectCount())
         return AmbiguousDoubleConversion;
     bool alwaysConvert = true;
     bool maybeConvert = false;
     bool dontConvert = false;
     for (unsigned i = 0; i < getObjectCount(); i++) {
         TypeObjectKey *type = getObject(i);
         if (!type)
             continue;
         if (type->unknownProperties()) {
             alwaysConvert = false;
             continue;
         }
         HeapTypeSetKey property = type->property(JSID_VOID);
         property.freeze(constraints);
         // We can't convert to double elements for objects which do not have
         // double in their element types (as the conversion may render the type
         // information incorrect), nor for non-array objects (as their elements
         // may point to emptyObjectElements, which cannot be converted).
         if (!property.maybeTypes() ||
             !property.maybeTypes()->hasType(Type::DoubleType()) ||
             type->clasp() != &ArrayObject::class_)
         {
             dontConvert = true;
             alwaysConvert = false;
             continue;
         }
         // Only bother with converting known packed arrays whose possible
         // element types are int or double. Other arrays require type tests
         // when elements are accessed regardless of the conversion.
         if (property.knownMIRType(constraints) == jit::MIRType_Double &&
             !type->hasFlags(constraints, OBJECT_FLAG_NON_PACKED))
         {
             maybeConvert = true;
         } else {
             alwaysConvert = false;
         }
     }
     JS_ASSERT_IF(alwaysConvert, maybeConvert);
     if (maybeConvert && dontConvert)
         return AmbiguousDoubleConversion;
     if (alwaysConvert)
         return AlwaysConvertToDoubles;
     if (maybeConvert)
         return MaybeConvertToDoubles;
     return DontConvertToDoubles;
 }
 const Class *
 TemporaryTypeSet::getKnownClass()
 {
     if (unknownObject())
         return nullptr;
     const Class *clasp = nullptr;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         const Class *nclasp = getObjectClass(i);
         if (!nclasp)
             continue;
         if (clasp && clasp != nclasp)
             return nullptr;
         clasp = nclasp;
     }
     return clasp;
 }
 TemporaryTypeSet::ForAllResult
 TemporaryTypeSet::forAllClasses(bool (*func)(const Class* clasp))
 {
     if (unknownObject())
         return ForAllResult::MIXED;
     unsigned count = getObjectCount();
     if (count == 0)
         return ForAllResult::EMPTY;
     bool true_results = false;
     bool false_results = false;
     for (unsigned i = 0; i < count; i++) {
         const Class *clasp = getObjectClass(i);
         if (!clasp)
             return ForAllResult::MIXED;
         if (func(clasp)) {
             true_results = true;
             if (false_results) return ForAllResult::MIXED;
         }
         else {
             false_results = true;
             if (true_results) return ForAllResult::MIXED;
         }
     }
     JS_ASSERT(true_results != false_results);
     return true_results ? ForAllResult::ALL_TRUE : ForAllResult::ALL_FALSE;
 }
 int
 TemporaryTypeSet::getTypedArrayType()
 {
     const Class *clasp = getKnownClass();
     if (clasp && IsTypedArrayClass(clasp))
         return clasp - &TypedArrayObject::classes[0];
     return ScalarTypeDescr::TYPE_MAX;
 }
 bool
 TemporaryTypeSet::isDOMClass()
 {
     if (unknownObject())
         return false;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         const Class *clasp = getObjectClass(i);
         if (clasp && !clasp->isDOMClass())
             return false;
     }
     return count > 0;
 }
 bool
 TemporaryTypeSet::maybeCallable()
 {
     if (!maybeObject())
         return false;
     if (unknownObject())
         return true;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         const Class *clasp = getObjectClass(i);
         if (clasp && clasp->isCallable())
             return true;
     }
     return false;
 }
 bool
 TemporaryTypeSet::maybeEmulatesUndefined()
 {
     if (!maybeObject())
         return false;
     if (unknownObject())
         return true;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         // The object emulates undefined if clasp->emulatesUndefined() or if
         // it's a WrapperObject, see EmulatesUndefined. Since all wrappers are
         // proxies, we can just check for that.
         const Class *clasp = getObjectClass(i);
         if (clasp && (clasp->emulatesUndefined() || clasp->isProxy()))
             return true;
     }
     return false;
 }
 JSObject *
 TemporaryTypeSet::getCommonPrototype()
 {
     if (unknownObject())
         return nullptr;
     JSObject *proto = nullptr;
     unsigned count = getObjectCount();
     for (unsigned i = 0; i < count; i++) {
         TypeObjectKey *object = getObject(i);
         if (!object)
             continue;
         if (!object->hasTenuredProto())
             return nullptr;
         TaggedProto nproto = object->proto();
         if (proto) {
             if (nproto != proto)
                 return nullptr;
         } else {
             if (!nproto.isObject())
                 return nullptr;
             proto = nproto.toObject();
         }
     }
     return proto;
 }
 bool
 TemporaryTypeSet::propertyNeedsBarrier(CompilerConstraintList *constraints, jsid id)
 {
     if (unknownObject())
         return true;
     for (unsigned i = 0; i < getObjectCount(); i++) {
         TypeObjectKey *type = getObject(i);
         if (!type)
             continue;
         if (type->unknownProperties())
             return true;
         HeapTypeSetKey property = type->property(id);
         if (property.needsBarrier(constraints))
             return true;
     }
     return false;
 }
 /////////////////////////////////////////////////////////////////////
 // TypeCompartment
 /////////////////////////////////////////////////////////////////////
 TypeCompartment::TypeCompartment()
 {
     PodZero(this);
 }
 TypeObject *
 TypeCompartment::newTypeObject(ExclusiveContext *cx, const Class *clasp, Handle<TaggedProto> proto,
                                TypeObjectFlags initialFlags)
 {
     JS_ASSERT_IF(proto.isObject(), cx->isInsideCurrentCompartment(proto.toObject()));
     if (cx->isJSContext()) {
         if (proto.isObject() && IsInsideNursery(cx->asJSContext()->runtime(), proto.toObject()))
             initialFlags |= OBJECT_FLAG_NURSERY_PROTO;
     }
     TypeObject *object = js::NewTypeObject(cx);
     if (!object)
         return nullptr;
     new(object) TypeObject(clasp, proto, initialFlags);
     return object;
 }
 TypeObject *
 TypeCompartment::addAllocationSiteTypeObject(JSContext *cx, AllocationSiteKey key)
 {
     AutoEnterAnalysis enter(cx);
     if (!allocationSiteTable) {
         allocationSiteTable = cx->new_<AllocationSiteTable>();
         if (!allocationSiteTable || !allocationSiteTable->init()) {
             js_delete(allocationSiteTable);
             return nullptr;
         }
     }
     AllocationSiteTable::AddPtr p = allocationSiteTable->lookupForAdd(key);
     JS_ASSERT(!p);
     TypeObject *res = nullptr;
     jsbytecode *pc = key.script->offsetToPC(key.offset);
     RootedScript keyScript(cx, key.script);
     if (!res) {
         RootedObject proto(cx);
         if (!GetBuiltinPrototype(cx, key.kind, &proto))
             return nullptr;
         Rooted<TaggedProto> tagged(cx, TaggedProto(proto));
         res = newTypeObject(cx, GetClassForProtoKey(key.kind), tagged, OBJECT_FLAG_FROM_ALLOCATION_SITE);
         if (!res)
             return nullptr;
         key.script = keyScript;
     }
     if (JSOp(*pc) == JSOP_NEWOBJECT) {
         /*
          * This object is always constructed the same way and will not be
          * observed by other code before all properties have been added. Mark
          * all the properties as definite properties of the object.
          */
         RootedObject baseobj(cx, key.script->getObject(GET_UINT32_INDEX(pc)));
         if (!res->addDefiniteProperties(cx, baseobj))
             return nullptr;
     }
     if (!allocationSiteTable->add(p, key, res))
         return nullptr;
     return res;
 }
 static inline jsid
 GetAtomId(JSContext *cx, JSScript *script, const jsbytecode *pc, unsigned offset)
 {
     PropertyName *name = script->getName(GET_UINT32_INDEX(pc + offset));
     return IdToTypeId(NameToId(name));
 }
 bool
 types::UseNewType(JSContext *cx, JSScript *script, jsbytecode *pc)
 {
     /*
      * Make a heuristic guess at a use of JSOP_NEW that the constructed object
      * should have a fresh type object. We do this when the NEW is immediately
      * followed by a simple assignment to an object's .prototype field.
      * This is designed to catch common patterns for subclassing in JS:
      *
      * function Super() { ... }
      * function Sub1() { ... }
      * function Sub2() { ... }
      *
      * Sub1.prototype = new Super();
      * Sub2.prototype = new Super();
      *
      * Using distinct type objects for the particular prototypes of Sub1 and
      * Sub2 lets us continue to distinguish the two subclasses and any extra
      * properties added to those prototype objects.
      */
     if (JSOp(*pc) == JSOP_NEW)
         pc += JSOP_NEW_LENGTH;
     else if (JSOp(*pc) == JSOP_SPREADNEW)
         pc += JSOP_SPREADNEW_LENGTH;
     else
         return false;
     if (JSOp(*pc) == JSOP_SETPROP) {
         jsid id = GetAtomId(cx, script, pc, 0);
         if (id == id_prototype(cx))
             return true;
     }
     return false;
 }
 NewObjectKind
 types::UseNewTypeForInitializer(JSScript *script, jsbytecode *pc, JSProtoKey key)
 {
     /*
      * Objects created outside loops in global and eval scripts should have
      * singleton types. For now this is only done for plain objects and typed
      * arrays, but not normal arrays.
      */
     if (script->functionNonDelazifying() && !script->treatAsRunOnce())
         return GenericObject;
     if (key != JSProto_Object && !(key >= JSProto_Int8Array && key <= JSProto_Uint8ClampedArray))
         return GenericObject;
     /*
      * All loops in the script will have a JSTRY_ITER or JSTRY_LOOP try note
      * indicating their boundary.
      */
     if (!script->hasTrynotes())
         return SingletonObject;
     unsigned offset = script->pcToOffset(pc);
     JSTryNote *tn = script->trynotes()->vector;
     JSTryNote *tnlimit = tn + script->trynotes()->length;
     for (; tn < tnlimit; tn++) {
         if (tn->kind != JSTRY_ITER && tn->kind != JSTRY_LOOP)
             continue;
         unsigned startOffset = script->mainOffset() + tn->start;
         unsigned endOffset = startOffset + tn->length;
         if (offset >= startOffset && offset < endOffset)
             return GenericObject;
     }
     return SingletonObject;
 }
 NewObjectKind
 types::UseNewTypeForInitializer(JSScript *script, jsbytecode *pc, const Class *clasp)
 {
     return UseNewTypeForInitializer(script, pc, JSCLASS_CACHED_PROTO_KEY(clasp));
 }
 static inline bool
 ClassCanHaveExtraProperties(const Class *clasp)
 {
     JS_ASSERT(clasp->resolve);
     return clasp->resolve != JS_ResolveStub
         || clasp->ops.lookupGeneric
         || clasp->ops.getGeneric
         || IsTypedArrayClass(clasp);
 }
 static inline bool
 PrototypeHasIndexedProperty(CompilerConstraintList *constraints, JSObject *obj)
 {
     do {
         TypeObjectKey *type = TypeObjectKey::get(obj);
         if (ClassCanHaveExtraProperties(type->clasp()))
             return true;
         if (type->unknownProperties())
             return true;
         HeapTypeSetKey index = type->property(JSID_VOID);
         if (index.nonData(constraints) || index.isOwnProperty(constraints))
             return true;
         if (!obj->hasTenuredProto())
             return true;
         obj = obj->getProto();
     } while (obj);
     return false;
 }
 bool
 types::ArrayPrototypeHasIndexedProperty(CompilerConstraintList *constraints, JSScript *script)
 {
     if (JSObject *proto = script->global().maybeGetArrayPrototype())
         return PrototypeHasIndexedProperty(constraints, proto);
     return true;
 }
 bool
 types::TypeCanHaveExtraIndexedProperties(CompilerConstraintList *constraints,
                                          TemporaryTypeSet *types)
 {
     const Class *clasp = types->getKnownClass();
     // Note: typed arrays have indexed properties not accounted for by type
     // information, though these are all in bounds and will be accounted for
     // by JIT paths.
     if (!clasp || (ClassCanHaveExtraProperties(clasp) && !IsTypedArrayClass(clasp)))
         return true;
     if (types->hasObjectFlags(constraints, types::OBJECT_FLAG_SPARSE_INDEXES))
         return true;
     JSObject *proto = types->getCommonPrototype();
     if (!proto)
         return true;
     return PrototypeHasIndexedProperty(constraints, proto);
 }
 void
 TypeZone::processPendingRecompiles(FreeOp *fop)
 {
     if (!pendingRecompiles)
         return;
     /* Steal the list of scripts to recompile, else we will try to recursively recompile them. */
     Vector<RecompileInfo> *pending = pendingRecompiles;
     pendingRecompiles = nullptr;
     JS_ASSERT(!pending->empty());
 #ifdef JS_ION
     jit::Invalidate(*this, fop, *pending);
 #endif
     fop->delete_(pending);
 }
 void
 TypeZone::addPendingRecompile(JSContext *cx, const RecompileInfo &info)
 {
     CompilerOutput *co = info.compilerOutput(cx);
     if (!co || !co->isValid() || co->pendingInvalidation())
         return;
     InferSpew(ISpewOps, "addPendingRecompile: %p:%s:%d",
               co->script(), co->script()->filename(), co->script()->lineno());
     co->setPendingInvalidation();
     if (!pendingRecompiles) {
         pendingRecompiles = cx->new_< Vector<RecompileInfo> >(cx);
         if (!pendingRecompiles)
             CrashAtUnhandlableOOM("Could not update pendingRecompiles");
     }
     if (!pendingRecompiles->append(info))
         CrashAtUnhandlableOOM("Could not update pendingRecompiles");
 }
 void
 TypeZone::addPendingRecompile(JSContext *cx, JSScript *script)
 {
     JS_ASSERT(script);
 #ifdef JS_ION
     CancelOffThreadIonCompile(cx->compartment(), script);
     // Let the script warm up again before attempting another compile.
     if (jit::IsBaselineEnabled(cx))
         script->resetUseCount();
     if (script->hasIonScript())
         addPendingRecompile(cx, script->ionScript()->recompileInfo());
     if (script->hasParallelIonScript())
         addPendingRecompile(cx, script->parallelIonScript()->recompileInfo());
 #endif
     // When one script is inlined into another the caller listens to state
     // changes on the callee's script, so trigger these to force recompilation
     // of any such callers.
     if (script->functionNonDelazifying() && !script->functionNonDelazifying()->hasLazyType())
         ObjectStateChange(cx, script->functionNonDelazifying()->type(), false);
 }
 void
 TypeCompartment::markSetsUnknown(JSContext *cx, TypeObject *target)
 {
     JS_ASSERT(this == &cx->compartment()->types);
     JS_ASSERT(!(target->flags() & OBJECT_FLAG_SETS_MARKED_UNKNOWN));
     JS_ASSERT(!target->singleton());
     JS_ASSERT(target->unknownProperties());
     AutoEnterAnalysis enter(cx);
     /* Mark type sets which contain obj as having a generic object types. */
     for (gc::CellIter i(cx->zone(), gc::FINALIZE_TYPE_OBJECT); !i.done(); i.next()) {
         TypeObject *object = i.get<TypeObject>();
         unsigned count = object->getPropertyCount();
         for (unsigned i = 0; i < count; i++) {
             Property *prop = object->getProperty(i);
             if (prop && prop->types.hasType(Type::ObjectType(target)))
                 prop->types.addType(cx, Type::AnyObjectType());
         }
     }
     for (gc::CellIter i(cx->zone(), gc::FINALIZE_SCRIPT); !i.done(); i.next()) {
         RootedScript script(cx, i.get<JSScript>());
         if (script->types) {
             unsigned count = TypeScript::NumTypeSets(script);
             StackTypeSet *typeArray = script->types->typeArray();
             for (unsigned i = 0; i < count; i++) {
                 if (typeArray[i].hasType(Type::ObjectType(target)))
                     typeArray[i].addType(cx, Type::AnyObjectType());
             }
         }
     }
     target->addFlags(OBJECT_FLAG_SETS_MARKED_UNKNOWN);
 }
 void
 TypeCompartment::print(JSContext *cx, bool force)
 {
 #ifdef DEBUG
     gc::AutoSuppressGC suppressGC(cx);
     JSCompartment *compartment = this->compartment();
     AutoEnterAnalysis enter(nullptr, compartment);
     if (!force && !InferSpewActive(ISpewResult))
         return;
     for (gc::CellIter i(compartment->zone(), gc::FINALIZE_SCRIPT); !i.done(); i.next()) {
         // Note: use cx->runtime() instead of cx to work around IsInRequest(cx)
         // assertion failures when we're called from DestroyContext.
         RootedScript script(cx->runtime(), i.get<JSScript>());
         if (script->types)
             script->types->printTypes(cx, script);
     }
     for (gc::CellIter i(compartment->zone(), gc::FINALIZE_TYPE_OBJECT); !i.done(); i.next()) {
         TypeObject *object = i.get<TypeObject>();
         object->print();
     }
 #endif
 }
 /////////////////////////////////////////////////////////////////////
 // TypeCompartment tables
 /////////////////////////////////////////////////////////////////////
 /*
  * The arrayTypeTable and objectTypeTable are per-compartment tables for making
  * common type objects to model the contents of large script singletons and
  * JSON objects. These are vanilla Arrays and native Objects, so we distinguish
  * the types of different ones by looking at the types of their properties.
  *
  * All singleton/JSON arrays which have the same prototype, are homogenous and
  * of the same element type will share a type object. All singleton/JSON
  * objects which have the same shape and property types will also share a type
  * object. We don't try to collate arrays or objects that have type mismatches.
  */
 static inline bool
 NumberTypes(Type a, Type b)
 {
     return (a.isPrimitive(JSVAL_TYPE_INT32) || a.isPrimitive(JSVAL_TYPE_DOUBLE))
         && (b.isPrimitive(JSVAL_TYPE_INT32) || b.isPrimitive(JSVAL_TYPE_DOUBLE));
 }
 /*
  * As for GetValueType, but requires object types to be non-singletons with
  * their default prototype. These are the only values that should appear in
  * arrays and objects whose type can be fixed.
  */
 static inline Type
 GetValueTypeForTable(const Value &v)
 {
     Type type = GetValueType(v);
     JS_ASSERT(!type.isSingleObject());
     return type;
 }
 struct types::ArrayTableKey : public DefaultHasher<types::ArrayTableKey>
 {
     Type type;
     JSObject *proto;
     ArrayTableKey()
       : type(Type::UndefinedType()), proto(nullptr)
     {}
     ArrayTableKey(Type type, JSObject *proto)
       : type(type), proto(proto)
     {}
     static inline uint32_t hash(const ArrayTableKey &v) {
         return (uint32_t) (v.type.raw() ^ ((uint32_t)(size_t)v.proto >> 2));
     }
     static inline bool match(const ArrayTableKey &v1, const ArrayTableKey &v2) {
         return v1.type == v2.type && v1.proto == v2.proto;
     }
 };
 void
 TypeCompartment::setTypeToHomogenousArray(ExclusiveContext *cx,
                                           JSObject *obj, Type elementType)
 {
     JS_ASSERT(cx->compartment()->activeAnalysis);
     if (!arrayTypeTable) {
         arrayTypeTable = cx->new_<ArrayTypeTable>();
         if (!arrayTypeTable || !arrayTypeTable->init()) {
             arrayTypeTable = nullptr;
             return;
         }
     }
     ArrayTableKey key(elementType, obj->getProto());
     DependentAddPtr<ArrayTypeTable> p(cx, *arrayTypeTable, key);
     if (p) {
         obj->setType(p->value());
     } else {
         /* Make a new type to use for future arrays with the same elements. */
         RootedObject objProto(cx, obj->getProto());
         TypeObject *objType = newTypeObject(cx, &ArrayObject::class_, objProto);
         if (!objType)
             return;
         obj->setType(objType);
         if (!objType->unknownProperties())
             objType->addPropertyType(cx, JSID_VOID, elementType);
         key.proto = objProto;
         (void) p.add(cx, *arrayTypeTable, key, objType);
     }
 }
 void
 TypeCompartment::fixArrayType(ExclusiveContext *cx, JSObject *obj)
 {
     AutoEnterAnalysis enter(cx);
     /*
      * If the array is of homogenous type, pick a type object which will be
      * shared with all other singleton/JSON arrays of the same type.
      * If the array is heterogenous, keep the existing type object, which has
      * unknown properties.
      */
     JS_ASSERT(obj->is<ArrayObject>());
     unsigned len = obj->getDenseInitializedLength();
     if (len == 0)
         return;
     Type type = GetValueTypeForTable(obj->getDenseElement(0));
     for (unsigned i = 1; i < len; i++) {
         Type ntype = GetValueTypeForTable(obj->getDenseElement(i));
         if (ntype != type) {
             if (NumberTypes(type, ntype))
                 type = Type::DoubleType();
             else
                 return;
         }
     }
     setTypeToHomogenousArray(cx, obj, type);
 }
 void
 types::FixRestArgumentsType(ExclusiveContext *cx, JSObject *obj)
 {
     cx->compartment()->types.fixRestArgumentsType(cx, obj);
 }
 void
 TypeCompartment::fixRestArgumentsType(ExclusiveContext *cx, JSObject *obj)
 {
     AutoEnterAnalysis enter(cx);
     /*
      * Tracking element types for rest argument arrays is not worth it, but we
      * still want it to be known that it's a dense array.
      */
     JS_ASSERT(obj->is<ArrayObject>());
     setTypeToHomogenousArray(cx, obj, Type::UnknownType());
 }
 /*
  * N.B. We could also use the initial shape of the object (before its type is
  * fixed) as the key in the object table, but since all references in the table
  * are weak the hash entries would usually be collected on GC even if objects
  * with the new type/shape are still live.
  */
 struct types::ObjectTableKey
 {
     jsid *properties;
     uint32_t nproperties;
     uint32_t nfixed;
     struct Lookup {
         IdValuePair *properties;
         uint32_t nproperties;
         uint32_t nfixed;
         Lookup(IdValuePair *properties, uint32_t nproperties, uint32_t nfixed)
           : properties(properties), nproperties(nproperties), nfixed(nfixed)
         {}
     };
     static inline HashNumber hash(const Lookup &lookup) {
         return (HashNumber) (JSID_BITS(lookup.properties[lookup.nproperties - 1].id) ^
                              lookup.nproperties ^
                              lookup.nfixed);
     }
     static inline bool match(const ObjectTableKey &v, const Lookup &lookup) {
         if (lookup.nproperties != v.nproperties || lookup.nfixed != v.nfixed)
             return false;
         for (size_t i = 0; i < lookup.nproperties; i++) {
             if (lookup.properties[i].id != v.properties[i])
                 return false;
         }
         return true;
     }
 };
 struct types::ObjectTableEntry
 {
     ReadBarriered<TypeObject> object;
     ReadBarriered<Shape> shape;
     Type *types;
 };
 static inline void
 UpdateObjectTableEntryTypes(ExclusiveContext *cx, ObjectTableEntry &entry,
                             IdValuePair *properties, size_t nproperties)
 {
     if (entry.object->unknownProperties())
         return;
     for (size_t i = 0; i < nproperties; i++) {
         Type type = entry.types[i];
         Type ntype = GetValueTypeForTable(properties[i].value);
         if (ntype == type)
             continue;
         if (ntype.isPrimitive(JSVAL_TYPE_INT32) &&
             type.isPrimitive(JSVAL_TYPE_DOUBLE))
         {
             /* The property types already reflect 'int32'. */
         } else {
             if (ntype.isPrimitive(JSVAL_TYPE_DOUBLE) &&
                 type.isPrimitive(JSVAL_TYPE_INT32))
             {
                 /* Include 'double' in the property types to avoid the update below later. */
                 entry.types[i] = Type::DoubleType();
             }
             entry.object->addPropertyType(cx, IdToTypeId(properties[i].id), ntype);
         }
     }
 }
 void
 TypeCompartment::fixObjectType(ExclusiveContext *cx, JSObject *obj)
 {
     AutoEnterAnalysis enter(cx);
     if (!objectTypeTable) {
         objectTypeTable = cx->new_<ObjectTypeTable>();
         if (!objectTypeTable || !objectTypeTable->init()) {
             js_delete(objectTypeTable);
             objectTypeTable = nullptr;
             return;
         }
     }
     /*
      * Use the same type object for all singleton/JSON objects with the same
      * base shape, i.e. the same fields written in the same order.
      */
     JS_ASSERT(obj->is<JSObject>());
     /*
      * Exclude some objects we can't readily associate common types for based on their
      * shape. Objects with metadata are excluded so that the metadata does not need to
      * be included in the table lookup (the metadata object might be in the nursery).
      */
     if (obj->slotSpan() == 0 || obj->inDictionaryMode() || !obj->hasEmptyElements() || obj->getMetadata())
         return;
     Vector<IdValuePair> properties(cx);
     if (!properties.resize(obj->slotSpan()))
         return;
     Shape *shape = obj->lastProperty();
     while (!shape->isEmptyShape()) {
         IdValuePair &entry = properties[shape->slot()];
         entry.id = shape->propid();
         entry.value = obj->getSlot(shape->slot());
         shape = shape->previous();
     }
     ObjectTableKey::Lookup lookup(properties.begin(), properties.length(), obj->numFixedSlots());
     ObjectTypeTable::AddPtr p = objectTypeTable->lookupForAdd(lookup);
     if (p) {
         JS_ASSERT(obj->getProto() == p->value().object->proto().toObject());
         JS_ASSERT(obj->lastProperty() == p->value().shape);
         UpdateObjectTableEntryTypes(cx, p->value(), properties.begin(), properties.length());
         obj->setType(p->value().object);
         return;
     }
     /* Make a new type to use for the object and similar future ones. */
     Rooted<TaggedProto> objProto(cx, obj->getTaggedProto());
     TypeObject *objType = newTypeObject(cx, &JSObject::class_, objProto);
     if (!objType || !objType->addDefiniteProperties(cx, obj))
         return;
     if (obj->isIndexed())
         objType->setFlags(cx, OBJECT_FLAG_SPARSE_INDEXES);
     ScopedJSFreePtr<jsid> ids(cx->pod_calloc<jsid>(properties.length()));
     if (!ids)
         return;
     ScopedJSFreePtr<Type> types(cx->pod_calloc<Type>(properties.length()));
     if (!types)
         return;
     for (size_t i = 0; i < properties.length(); i++) {
         ids[i] = properties[i].id;
         types[i] = GetValueTypeForTable(obj->getSlot(i));
         if (!objType->unknownProperties())
             objType->addPropertyType(cx, IdToTypeId(ids[i]), types[i]);
     }
     ObjectTableKey key;
     key.properties = ids;
     key.nproperties = properties.length();
     key.nfixed = obj->numFixedSlots();
     JS_ASSERT(ObjectTableKey::match(key, lookup));
     ObjectTableEntry entry;
     entry.object = objType;
     entry.shape = obj->lastProperty();
     entry.types = types;
     obj->setType(objType);
     p = objectTypeTable->lookupForAdd(lookup);
     if (objectTypeTable->add(p, key, entry)) {
         ids.forget();
         types.forget();
     }
 }
 JSObject *
 TypeCompartment::newTypedObject(JSContext *cx, IdValuePair *properties, size_t nproperties)
 {
     AutoEnterAnalysis enter(cx);
     if (!objectTypeTable) {
         objectTypeTable = cx->new_<ObjectTypeTable>();
         if (!objectTypeTable || !objectTypeTable->init()) {
             js_delete(objectTypeTable);
             objectTypeTable = nullptr;
             return nullptr;
         }
     }
     /*
      * Use the object type table to allocate an object with the specified
      * properties, filling in its final type and shape and failing if no cache
      * entry could be found for the properties.
      */
     /*
      * Filter out a few cases where we don't want to use the object type table.
      * Note that if the properties contain any duplicates or dense indexes,
      * the lookup below will fail as such arrays of properties cannot be stored
      * in the object type table --- fixObjectType populates the table with
      * properties read off its input object, which cannot be duplicates, and
      * ignores objects with dense indexes.
      */
     if (!nproperties || nproperties >= PropertyTree::MAX_HEIGHT)
         return nullptr;
     gc::AllocKind allocKind = gc::GetGCObjectKind(nproperties);
     size_t nfixed = gc::GetGCKindSlots(allocKind, &JSObject::class_);
     ObjectTableKey::Lookup lookup(properties, nproperties, nfixed);
     ObjectTypeTable::AddPtr p = objectTypeTable->lookupForAdd(lookup);
     if (!p)
         return nullptr;
     RootedObject obj(cx, NewBuiltinClassInstance(cx, &JSObject::class_, allocKind));
     if (!obj) {
         cx->clearPendingException();
         return nullptr;
     }
     JS_ASSERT(obj->getProto() == p->value().object->proto().toObject());
     RootedShape shape(cx, p->value().shape);
     if (!JSObject::setLastProperty(cx, obj, shape)) {
         cx->clearPendingException();
         return nullptr;
     }
     UpdateObjectTableEntryTypes(cx, p->value(), properties, nproperties);
     for (size_t i = 0; i < nproperties; i++)
         obj->setSlot(i, properties[i].value);
     obj->setType(p->value().object);
     return obj;
 }
 /////////////////////////////////////////////////////////////////////
 // TypeObject
 /////////////////////////////////////////////////////////////////////
 void
 TypeObject::setProto(JSContext *cx, TaggedProto proto)
 {
     JS_ASSERT(singleton());
     if (proto.isObject() && IsInsideNursery(cx->runtime(), proto.toObject()))
         addFlags(OBJECT_FLAG_NURSERY_PROTO);
     setProtoUnchecked(proto);
 }
 static inline void
 UpdatePropertyType(ExclusiveContext *cx, HeapTypeSet *types, JSObject *obj, Shape *shape,
                    bool indexed)
 {
     if (!shape->writable())
         types->setNonWritableProperty(cx);
     if (shape->hasGetterValue() || shape->hasSetterValue()) {
         types->setNonDataProperty(cx);
         types->TypeSet::addType(Type::UnknownType(), &cx->typeLifoAlloc());
     } else if (shape->hasDefaultGetter() && shape->hasSlot()) {
         if (!indexed && types->canSetDefinite(shape->slot()))
             types->setDefinite(shape->slot());
         const Value &value = obj->nativeGetSlot(shape->slot());
         /*
          * Don't add initial undefined types for properties of global objects
          * that are not collated into the JSID_VOID property (see propertySet
          * comment).
          */
         if (indexed || !value.isUndefined() || !CanHaveEmptyPropertyTypesForOwnProperty(obj)) {
             Type type = GetValueType(value);
             types->TypeSet::addType(type, &cx->typeLifoAlloc());
         }
     }
 }
 void
 TypeObject::updateNewPropertyTypes(ExclusiveContext *cx, jsid id, HeapTypeSet *types)
 {
     InferSpew(ISpewOps, "typeSet: %sT%p%s property %s %s",
               InferSpewColor(types), types, InferSpewColorReset(),
               TypeObjectString(this), TypeIdString(id));
     if (!singleton() || !singleton()->isNative())
         return;
     /*
      * Fill the property in with any type the object already has in an own
      * property. We are only interested in plain native properties and
      * dense elements which don't go through a barrier when read by the VM
      * or jitcode.
      */
     if (JSID_IS_VOID(id)) {
         /* Go through all shapes on the object to get integer-valued properties. */
         RootedShape shape(cx, singleton()->lastProperty());
         while (!shape->isEmptyShape()) {
             if (JSID_IS_VOID(IdToTypeId(shape->propid())))
                 UpdatePropertyType(cx, types, singleton(), shape, true);
             shape = shape->previous();
         }
         /* Also get values of any dense elements in the object. */
         for (size_t i = 0; i < singleton()->getDenseInitializedLength(); i++) {
             const Value &value = singleton()->getDenseElement(i);
             if (!value.isMagic(JS_ELEMENTS_HOLE)) {
                 Type type = GetValueType(value);
                 types->TypeSet::addType(type, &cx->typeLifoAlloc());
             }
         }
     } else if (!JSID_IS_EMPTY(id)) {
         RootedId rootedId(cx, id);
         Shape *shape = singleton()->nativeLookup(cx, rootedId);
         if (shape)
             UpdatePropertyType(cx, types, singleton(), shape, false);
     }
     if (singleton()->watched()) {
         /*
          * Mark the property as non-data, to inhibit optimizations on it
          * and avoid bypassing the watchpoint handler.
          */
         types->setNonDataProperty(cx);
     }
 }
 bool
 TypeObject::addDefiniteProperties(ExclusiveContext *cx, JSObject *obj)
 {
     if (unknownProperties())
         return true;
     /* Mark all properties of obj as definite properties of this type. */
     AutoEnterAnalysis enter(cx);
     RootedShape shape(cx, obj->lastProperty());
     while (!shape->isEmptyShape()) {
         jsid id = IdToTypeId(shape->propid());
         if (!JSID_IS_VOID(id) && obj->isFixedSlot(shape->slot())) {
             TypeSet *types = getProperty(cx, id);
             if (!types)
                 return false;
             types->setDefinite(shape->slot());
         }
         shape = shape->previous();
     }
     return true;
 }
 bool
 TypeObject::matchDefiniteProperties(HandleObject obj)
 {
     unsigned count = getPropertyCount();
     for (unsigned i = 0; i < count; i++) {
         Property *prop = getProperty(i);
         if (!prop)
             continue;
         if (prop->types.definiteProperty()) {
             unsigned slot = prop->types.definiteSlot();
             bool found = false;
             Shape *shape = obj->lastProperty();
             while (!shape->isEmptyShape()) {
                 if (shape->slot() == slot && shape->propid() == prop->id) {
                     found = true;
                     break;
                 }
                 shape = shape->previous();
             }
             if (!found)
                 return false;
         }
     }
     return true;
 }
 static inline void
 InlineAddTypeProperty(ExclusiveContext *cx, TypeObject *obj, jsid id, Type type)
 {
     JS_ASSERT(id == IdToTypeId(id));
     AutoEnterAnalysis enter(cx);
     HeapTypeSet *types = obj->getProperty(cx, id);
     if (!types || types->hasType(type))
         return;
     InferSpew(ISpewOps, "externalType: property %s %s: %s",
               TypeObjectString(obj), TypeIdString(id), TypeString(type));
     types->addType(cx, type);
 }
 void
 TypeObject::addPropertyType(ExclusiveContext *cx, jsid id, Type type)
 {
     InlineAddTypeProperty(cx, this, id, type);
 }
 void
 TypeObject::addPropertyType(ExclusiveContext *cx, jsid id, const Value &value)
 {
     InlineAddTypeProperty(cx, this, id, GetValueType(value));
 }
 void
 TypeObject::markPropertyNonData(ExclusiveContext *cx, jsid id)
 {
     AutoEnterAnalysis enter(cx);
     id = IdToTypeId(id);
     HeapTypeSet *types = getProperty(cx, id);
     if (types)
         types->setNonDataProperty(cx);
 }
 void
 TypeObject::markPropertyNonWritable(ExclusiveContext *cx, jsid id)
 {
     AutoEnterAnalysis enter(cx);
     id = IdToTypeId(id);
     HeapTypeSet *types = getProperty(cx, id);
     if (types)
         types->setNonWritableProperty(cx);
 }
 bool
 TypeObject::isPropertyNonData(jsid id)
 {
     TypeSet *types = maybeGetProperty(id);
     if (types)
         return types->nonDataProperty();
     return false;
 }
 bool
 TypeObject::isPropertyNonWritable(jsid id)
 {
     TypeSet *types = maybeGetProperty(id);
     if (types)
         return types->nonWritableProperty();
     return false;
 }
 void
 TypeObject::markStateChange(ExclusiveContext *cxArg)
 {
     if (unknownProperties())
         return;
     AutoEnterAnalysis enter(cxArg);
     HeapTypeSet *types = maybeGetProperty(JSID_EMPTY);
     if (types) {
         if (JSContext *cx = cxArg->maybeJSContext()) {
             TypeConstraint *constraint = types->constraintList;
             while (constraint) {
                 constraint->newObjectState(cx, this);
                 constraint = constraint->next;
             }
         } else {
             JS_ASSERT(!types->constraintList);
         }
     }
 }
 void
 TypeObject::setFlags(ExclusiveContext *cx, TypeObjectFlags flags)
 {
     if (hasAllFlags(flags))
         return;
     AutoEnterAnalysis enter(cx);
     if (singleton()) {
         /* Make sure flags are consistent with persistent object state. */
         JS_ASSERT_IF(flags & OBJECT_FLAG_ITERATED,
                      singleton()->lastProperty()->hasObjectFlag(BaseShape::ITERATED_SINGLETON));
     }
     addFlags(flags);
     InferSpew(ISpewOps, "%s: setFlags 0x%x", TypeObjectString(this), flags);
     ObjectStateChange(cx, this, false);
 }
 void
 TypeObject::markUnknown(ExclusiveContext *cx)
 {
     AutoEnterAnalysis enter(cx);
     JS_ASSERT(cx->compartment()->activeAnalysis);
     JS_ASSERT(!unknownProperties());
     if (!(flags() & OBJECT_FLAG_ADDENDUM_CLEARED))
         clearAddendum(cx);
     InferSpew(ISpewOps, "UnknownProperties: %s", TypeObjectString(this));
     ObjectStateChange(cx, this, true);
     /*
      * Existing constraints may have already been added to this object, which we need
      * to do the right thing for. We can't ensure that we will mark all unknown
      * objects before they have been accessed, as the __proto__ of a known object
      * could be dynamically set to an unknown object, and we can decide to ignore
      * properties of an object during analysis (i.e. hashmaps). Adding unknown for
      * any properties accessed already accounts for possible values read from them.
      */
     unsigned count = getPropertyCount();
     for (unsigned i = 0; i < count; i++) {
         Property *prop = getProperty(i);
         if (prop) {
             prop->types.addType(cx, Type::UnknownType());
             prop->types.setNonDataProperty(cx);
         }
     }
 }
 void
 TypeObject::clearAddendum(ExclusiveContext *cx)
 {
     JS_ASSERT(!(flags() & OBJECT_FLAG_ADDENDUM_CLEARED));
     addFlags(OBJECT_FLAG_ADDENDUM_CLEARED);
     /*
      * It is possible for the object to not have a new script or other
      * addendum yet, but to have one added in the future. When
      * analyzing properties of new scripts we mix in adding
      * constraints to trigger clearNewScript with changes to the type
      * sets themselves (from breakTypeBarriers). It is possible that
      * we could trigger one of these constraints before
      * AnalyzeNewScriptProperties has finished, in which case we want
      * to make sure that call fails.
      */
     if (!addendum)
         return;
     switch (addendum->kind) {
       case TypeObjectAddendum::NewScript:
         clearNewScriptAddendum(cx);
         break;
       case TypeObjectAddendum::TypedObject:
         clearTypedObjectAddendum(cx);
         break;
     }
     /* We nullptr out addendum *before* freeing it so the write barrier works. */
     TypeObjectAddendum *savedAddendum = addendum;
     addendum = nullptr;
     js_free(savedAddendum);
     markStateChange(cx);
 }
 void
 TypeObject::clearNewScriptAddendum(ExclusiveContext *cx)
 {
     AutoEnterAnalysis enter(cx);
     /*
      * Any definite properties we added due to analysis of the new script when
      * the type object was created are now invalid: objects with the same type
      * can be created by using 'new' on a different script or through some
      * other mechanism (e.g. Object.create). Rather than clear out the definite
      * bits on the object's properties, just mark such properties as having
      * been deleted/reconfigured, which will have the same effect on JITs
      * wanting to use the definite bits to optimize property accesses.
      */
     for (unsigned i = 0; i < getPropertyCount(); i++) {
         Property *prop = getProperty(i);
         if (!prop)
             continue;
         if (prop->types.definiteProperty())
             prop->types.setNonDataProperty(cx);
     }
     /*
      * If we cleared the new script while in the middle of initializing an
      * object, it will still have the new script's shape and reflect the no
      * longer correct state of the object once its initialization is completed.
      * We can't really detect the possibility of this statically, but the new
      * script keeps track of where each property is initialized so we can walk
      * the stack and fix up any such objects.
      */
     if (cx->isJSContext()) {
         Vector<uint32_t, 32> pcOffsets(cx);
         for (ScriptFrameIter iter(cx->asJSContext()); !iter.done(); ++iter) {
             pcOffsets.append(iter.script()->pcToOffset(iter.pc()));
             if (!iter.isConstructing() ||
                 iter.callee() != newScript()->fun ||
                 !iter.thisv().isObject() ||
                 iter.thisv().toObject().hasLazyType() ||
                 iter.thisv().toObject().type() != this)
             {
                 continue;
             }
             // Found a matching frame.
             RootedObject obj(cx, &iter.thisv().toObject());
             // Whether all identified 'new' properties have been initialized.
             bool finished = false;
             // If not finished, number of properties that have been added.
             uint32_t numProperties = 0;
             // Whether the current SETPROP is within an inner frame which has
             // finished entirely.
             bool pastProperty = false;
             // Index in pcOffsets of the outermost frame.
             int callDepth = pcOffsets.length() - 1;
             // Index in pcOffsets of the frame currently being checked for a SETPROP.
             int setpropDepth = callDepth;
             for (TypeNewScript::Initializer *init = newScript()->initializerList;; init++) {
                 if (init->kind == TypeNewScript::Initializer::SETPROP) {
                     if (!pastProperty && pcOffsets[setpropDepth] < init->offset) {
                         // Have not yet reached this setprop.
                         break;
                     }
                     // This setprop has executed, reset state for the next one.
                     numProperties++;
                     pastProperty = false;
                     setpropDepth = callDepth;
                 } else if (init->kind == TypeNewScript::Initializer::SETPROP_FRAME) {
                     if (!pastProperty) {
                         if (pcOffsets[setpropDepth] < init->offset) {
                             // Have not yet reached this inner call.
                             break;
                         } else if (pcOffsets[setpropDepth] > init->offset) {
                             // Have advanced past this inner call.
                             pastProperty = true;
                         } else if (setpropDepth == 0) {
                             // Have reached this call but not yet in it.
                             break;
                         } else {
                             // Somewhere inside this inner call.
                             setpropDepth--;
                         }
                     }
                 } else {
                     JS_ASSERT(init->kind == TypeNewScript::Initializer::DONE);
                     finished = true;
                     break;
                 }
             }
             if (!finished)
                 (void) JSObject::rollbackProperties(cx, obj, numProperties);
         }
     } else {
         // Threads with an ExclusiveContext are not allowed to run scripts.
         JS_ASSERT(!cx->perThreadData->activation());
     }
 }
 void
 TypeObject::maybeClearNewScriptAddendumOnOOM()
 {
     if (!isMarked())
         return;
     if (!addendum || addendum->kind != TypeObjectAddendum::NewScript)
         return;
     for (unsigned i = 0; i < getPropertyCount(); i++) {
         Property *prop = getProperty(i);
         if (!prop)
             continue;
         if (prop->types.definiteProperty())
             prop->types.setNonDataPropertyIgnoringConstraints();
     }
     // This method is called during GC sweeping, so there is no write barrier
     // that needs to be triggered.
     js_free(addendum);
     addendum.unsafeSet(nullptr);
 }
 void
 TypeObject::clearTypedObjectAddendum(ExclusiveContext *cx)
 {
 }
 void
 TypeObject::print()
 {
     TaggedProto tagged(proto());
     fprintf(stderr, "%s : %s",
             TypeObjectString(this),
             tagged.isObject() ? TypeString(Type::ObjectType(tagged.toObject()))
                               : (tagged.isLazy() ? "(lazy)" : "(null)"));
     if (unknownProperties()) {
         fprintf(stderr, " unknown");
     } else {
         if (!hasAnyFlags(OBJECT_FLAG_SPARSE_INDEXES))
             fprintf(stderr, " dense");
         if (!hasAnyFlags(OBJECT_FLAG_NON_PACKED))
             fprintf(stderr, " packed");
         if (!hasAnyFlags(OBJECT_FLAG_LENGTH_OVERFLOW))
             fprintf(stderr, " noLengthOverflow");
         if (hasAnyFlags(OBJECT_FLAG_ITERATED))
             fprintf(stderr, " iterated");
         if (interpretedFunction)
             fprintf(stderr, " ifun");
     }
     unsigned count = getPropertyCount();
     if (count == 0) {
         fprintf(stderr, " {}\n");
         return;
     }
     fprintf(stderr, " {");
     for (unsigned i = 0; i < count; i++) {
         Property *prop = getProperty(i);
         if (prop) {
             fprintf(stderr, "\n    %s:", TypeIdString(prop->id));
             prop->types.print();
         }
     }
     fprintf(stderr, "\n}\n");
 }
 /////////////////////////////////////////////////////////////////////
 // Type Analysis
 /////////////////////////////////////////////////////////////////////
 /*
  * Persistent constraint clearing out newScript and definite properties from
  * an object should a property on another object get a getter or setter.
  */
 class TypeConstraintClearDefiniteGetterSetter : public TypeConstraint
 {
   public:
     TypeObject *object;
     TypeConstraintClearDefiniteGetterSetter(TypeObject *object)
         : object(object)
     {}
     const char *kind() { return "clearDefiniteGetterSetter"; }
     void newPropertyState(JSContext *cx, TypeSet *source)
     {
         if (!object->hasNewScript())
             return;
         /*
          * Clear out the newScript shape and definite property information from
          * an object if the source type set could be a setter or could be
          * non-writable.
          */
         if (!(object->flags() & OBJECT_FLAG_ADDENDUM_CLEARED) &&
             (source->nonDataProperty() || source->nonWritableProperty()))
         {
             object->clearAddendum(cx);
         }
     }
     void newType(JSContext *cx, TypeSet *source, Type type) {}
     bool sweep(TypeZone &zone, TypeConstraint **res) {
         if (IsTypeObjectAboutToBeFinalized(&object))
             return false;
         *res = zone.typeLifoAlloc.new_<TypeConstraintClearDefiniteGetterSetter>(object);
         return true;
     }
 };
 bool
 types::AddClearDefiniteGetterSetterForPrototypeChain(JSContext *cx, TypeObject *type, HandleId id)
 {
     /*
      * Ensure that if the properties named here could have a getter, setter or
      * a permanent property in any transitive prototype, the definite
      * properties get cleared from the type.
      */
     RootedObject parent(cx, type->proto().toObjectOrNull());
     while (parent) {
         TypeObject *parentObject = parent->getType(cx);
         if (!parentObject || parentObject->unknownProperties())
             return false;
         HeapTypeSet *parentTypes = parentObject->getProperty(cx, id);
         if (!parentTypes || parentTypes->nonDataProperty() || parentTypes->nonWritableProperty())
             return false;
         if (!parentTypes->addConstraint(cx, cx->typeLifoAlloc().new_<TypeConstraintClearDefiniteGetterSetter>(type)))
             return false;
         parent = parent->getProto();
     }
     return true;
 }
 /*
  * Constraint which clears definite properties on an object should a type set
  * contain any types other than a single object.
  */
 class TypeConstraintClearDefiniteSingle : public TypeConstraint
 {
   public:
     TypeObject *object;
     TypeConstraintClearDefiniteSingle(TypeObject *object)
         : object(object)
     {}
     const char *kind() { return "clearDefiniteSingle"; }
     void newType(JSContext *cx, TypeSet *source, Type type) {
         if (object->flags() & OBJECT_FLAG_ADDENDUM_CLEARED)
             return;
         if (source->baseFlags() || source->getObjectCount() > 1)
             object->clearAddendum(cx);
     }
     bool sweep(TypeZone &zone, TypeConstraint **res) {
         if (IsTypeObjectAboutToBeFinalized(&object))
             return false;
         *res = zone.typeLifoAlloc.new_<TypeConstraintClearDefiniteSingle>(object);
         return true;
     }
 };
 bool
 types::AddClearDefiniteFunctionUsesInScript(JSContext *cx, TypeObject *type,
                                             JSScript *script, JSScript *calleeScript)
 {
     // Look for any uses of the specified calleeScript in type sets for
     // |script|, and add constraints to ensure that if the type sets' contents
     // change then the definite properties are cleared from the type.
     // This ensures that the inlining performed when the definite properties
     // analysis was done is stable.
     TypeObjectKey *calleeKey = Type::ObjectType(calleeScript->functionNonDelazifying()).objectKey();
     unsigned count = TypeScript::NumTypeSets(script);
     StackTypeSet *typeArray = script->types->typeArray();
     for (unsigned i = 0; i < count; i++) {
         StackTypeSet *types = &typeArray[i];
         if (!types->unknownObject() && types->getObjectCount() == 1) {
             if (calleeKey != types->getObject(0)) {
                 // Also check if the object is the Function.call or
                 // Function.apply native. IonBuilder uses the presence of these
                 // functions during inlining.
                 JSObject *singleton = types->getSingleObject(0);
                 if (!singleton || !singleton->is<JSFunction>())
                     continue;
                 JSFunction *fun = &singleton->as<JSFunction>();
                 if (!fun->isNative())
                     continue;
                 if (fun->native() != js_fun_call && fun->native() != js_fun_apply)
                     continue;
             }
             // This is a type set that might have been used when inlining
             // |calleeScript| into |script|.
             if (!types->addConstraint(cx, cx->typeLifoAlloc().new_<TypeConstraintClearDefiniteSingle>(type)))
                 return false;
         }
     }
     return true;
 }
 /*
  * Either make the newScript information for type when it is constructed
  * by the specified script, or regenerate the constraints for an existing
  * newScript on the type after they were cleared by a GC.
  */
 static void
 CheckNewScriptProperties(JSContext *cx, TypeObject *type, JSFunction *fun)
 {
     JS_ASSERT(cx->compartment()->activeAnalysis);
 #ifdef JS_ION
     if (type->unknownProperties())
         return;
     /* Strawman object to add properties to and watch for duplicates. */
     RootedObject baseobj(cx, NewBuiltinClassInstance(cx, &JSObject::class_, gc::FINALIZE_OBJECT16));
     if (!baseobj)
         return;
     Vector<TypeNewScript::Initializer> initializerList(cx);
     if (!jit::AnalyzeNewScriptProperties(cx, fun, type, baseobj, &initializerList) ||
         baseobj->slotSpan() == 0 ||
         !!(type->flags() & OBJECT_FLAG_ADDENDUM_CLEARED))
     {
         if (type->hasNewScript())
             type->clearAddendum(cx);
         return;
     }
     /*
      * If the type already has a new script, we are just regenerating the type
      * constraints and don't need to make another TypeNewScript. Make sure that
      * the properties added to baseobj match the type's definite properties.
      */
     if (type->hasNewScript()) {
         if (!type->matchDefiniteProperties(baseobj))
             type->clearAddendum(cx);
         return;
     }
     JS_ASSERT(!type->hasNewScript());
     JS_ASSERT(!(type->flags() & OBJECT_FLAG_ADDENDUM_CLEARED));
     gc::AllocKind kind = gc::GetGCObjectKind(baseobj->slotSpan());
     /* We should not have overflowed the maximum number of fixed slots for an object. */
     JS_ASSERT(gc::GetGCKindSlots(kind) >= baseobj->slotSpan());
     TypeNewScript::Initializer done(TypeNewScript::Initializer::DONE, 0);
     /*
      * The base object may have been created with a different finalize kind
      * than we will use for subsequent new objects. Generate an object with the
      * appropriate final shape.
      */
     Rooted<TypeObject *> rootedType(cx, type);
     RootedShape shape(cx, baseobj->lastProperty());
     baseobj = NewReshapedObject(cx, rootedType, baseobj->getParent(), kind, shape, MaybeSingletonObject);
     if (!baseobj ||
         !type->addDefiniteProperties(cx, baseobj) ||
         !initializerList.append(done))
     {
         return;
     }
     size_t numBytes = sizeof(TypeNewScript)
                     + (initializerList.length() * sizeof(TypeNewScript::Initializer));
     TypeNewScript *newScript = (TypeNewScript *) cx->calloc_(numBytes);
     if (!newScript)
         return;
     new (newScript) TypeNewScript();
     type->setAddendum(newScript);
     newScript->fun = fun;
     newScript->templateObject = baseobj;
     newScript->initializerList = (TypeNewScript::Initializer *)
         ((char *) newScript + sizeof(TypeNewScript));
     PodCopy(newScript->initializerList,
             initializerList.begin(),
             initializerList.length());
 #endif // JS_ION
 }
 /////////////////////////////////////////////////////////////////////
 // Interface functions
 /////////////////////////////////////////////////////////////////////
 void
 types::TypeMonitorCallSlow(JSContext *cx, JSObject *callee, const CallArgs &args,
                            bool constructing)
 {
     unsigned nargs = callee->as<JSFunction>().nargs();
     JSScript *script = callee->as<JSFunction>().nonLazyScript();
     if (!constructing)
         TypeScript::SetThis(cx, script, args.thisv());
     /*
      * Add constraints going up to the minimum of the actual and formal count.
      * If there are more actuals than formals the later values can only be
      * accessed through the arguments object, which is monitored.
      */
     unsigned arg = 0;
     for (; arg < args.length() && arg < nargs; arg++)
         TypeScript::SetArgument(cx, script, arg, args[arg]);
     /* Watch for fewer actuals than formals to the call. */
     for (; arg < nargs; arg++)
         TypeScript::SetArgument(cx, script, arg, UndefinedValue());
 }
 static inline bool
 IsAboutToBeFinalized(TypeObjectKey *key)
 {
     /* Mask out the low bit indicating whether this is a type or JS object. */
     gc::Cell *tmp = reinterpret_cast<gc::Cell *>(uintptr_t(key) & ~1);
     bool isAboutToBeFinalized = IsCellAboutToBeFinalized(&tmp);
     JS_ASSERT(tmp == reinterpret_cast<gc::Cell *>(uintptr_t(key) & ~1));
     return isAboutToBeFinalized;
 }
 void
 types::FillBytecodeTypeMap(JSScript *script, uint32_t *bytecodeMap)
 {
     uint32_t added = 0;
     for (jsbytecode *pc = script->code(); pc < script->codeEnd(); pc += GetBytecodeLength(pc)) {
         JSOp op = JSOp(*pc);
         if (js_CodeSpec[op].format & JOF_TYPESET) {
             bytecodeMap[added++] = script->pcToOffset(pc);
             if (added == script->nTypeSets())
                 break;
         }
     }
     JS_ASSERT(added == script->nTypeSets());
 }
 void
 types::TypeMonitorResult(JSContext *cx, JSScript *script, jsbytecode *pc, const js::Value &rval)
 {
     /* Allow the non-TYPESET scenario to simplify stubs used in compound opcodes. */
     if (!(js_CodeSpec[*pc].format & JOF_TYPESET))
         return;
     if (!script->hasBaselineScript())
         return;
     AutoEnterAnalysis enter(cx);
     Type type = GetValueType(rval);
     StackTypeSet *types = TypeScript::BytecodeTypes(script, pc);
     if (types->hasType(type))
         return;
     InferSpew(ISpewOps, "bytecodeType: #%u:%05u: %s",
               script->id(), script->pcToOffset(pc), TypeString(type));
     types->addType(cx, type);
 }
 bool
 types::UseNewTypeForClone(JSFunction *fun)
 {
     if (!fun->isInterpreted())
         return false;
     if (fun->hasScript() && fun->nonLazyScript()->shouldCloneAtCallsite())
         return true;
     if (fun->isArrow())
         return false;
     if (fun->hasSingletonType())
         return false;
     /*
      * When a function is being used as a wrapper for another function, it
      * improves precision greatly to distinguish between different instances of
      * the wrapper; otherwise we will conflate much of the information about
      * the wrapped functions.
      *
      * An important example is the Class.create function at the core of the
      * Prototype.js library, which looks like:
      *
      * var Class = {
      *   create: function() {
      *     return function() {
      *       this.initialize.apply(this, arguments);
      *     }
      *   }
      * };
      *
      * Each instance of the innermost function will have a different wrapped
      * initialize method. We capture this, along with similar cases, by looking
      * for short scripts which use both .apply and arguments. For such scripts,
      * whenever creating a new instance of the function we both give that
      * instance a singleton type and clone the underlying script.
      */
     uint32_t begin, end;
     if (fun->hasScript()) {
         if (!fun->nonLazyScript()->usesArgumentsAndApply())
             return false;
         begin = fun->nonLazyScript()->sourceStart();
         end = fun->nonLazyScript()->sourceEnd();
     } else {
         if (!fun->lazyScript()->usesArgumentsAndApply())
             return false;
         begin = fun->lazyScript()->begin();
         end = fun->lazyScript()->end();
     }
     return end - begin <= 100;
 }
 /////////////////////////////////////////////////////////////////////
 // TypeScript
 /////////////////////////////////////////////////////////////////////
 bool
 JSScript::makeTypes(JSContext *cx)
 {
     JS_ASSERT(!types);
     AutoEnterAnalysis enter(cx);
     unsigned count = TypeScript::NumTypeSets(this);
     TypeScript *typeScript = (TypeScript *)
         cx->calloc_(TypeScript::SizeIncludingTypeArray(count));
     if (!typeScript)
         return false;
     new(typeScript) TypeScript();
     TypeSet *typeArray = typeScript->typeArray();
     for (unsigned i = 0; i < count; i++)
         new (&typeArray[i]) StackTypeSet();
     types = typeScript;
 #ifdef DEBUG
     for (unsigned i = 0; i < nTypeSets(); i++) {
         InferSpew(ISpewOps, "typeSet: %sT%p%s bytecode%u #%u",
                   InferSpewColor(&typeArray[i]), &typeArray[i], InferSpewColorReset(),
                   i, id());
     }
     TypeSet *thisTypes = TypeScript::ThisTypes(this);
     InferSpew(ISpewOps, "typeSet: %sT%p%s this #%u",
               InferSpewColor(thisTypes), thisTypes, InferSpewColorReset(),
               id());
     unsigned nargs = functionNonDelazifying() ? functionNonDelazifying()->nargs() : 0;
     for (unsigned i = 0; i < nargs; i++) {
         TypeSet *types = TypeScript::ArgTypes(this, i);
         InferSpew(ISpewOps, "typeSet: %sT%p%s arg%u #%u",
                   InferSpewColor(types), types, InferSpewColorReset(),
                   i, id());
     }
 #endif
     return true;
 }
 /* static */ bool
 JSFunction::setTypeForScriptedFunction(ExclusiveContext *cx, HandleFunction fun,
                                        bool singleton /* = false */)
 {
     if (singleton) {
         if (!setSingletonType(cx, fun))
             return false;
     } else {
         RootedObject funProto(cx, fun->getProto());
         TypeObject *type =
             cx->compartment()->types.newTypeObject(cx, &JSFunction::class_, funProto);
         if (!type)
             return false;
         fun->setType(type);
         type->interpretedFunction = fun;
     }
     return true;
 }
 /////////////////////////////////////////////////////////////////////
 // JSObject
 /////////////////////////////////////////////////////////////////////
 bool
 JSObject::shouldSplicePrototype(JSContext *cx)
 {
     /*
      * During bootstrapping, if inference is enabled we need to make sure not
      * to splice a new prototype in for Function.prototype or the global
      * object if their __proto__ had previously been set to null, as this
      * will change the prototype for all other objects with the same type.
      */
     if (getProto() != nullptr)
         return false;
     return hasSingletonType();
 }
 bool
 JSObject::splicePrototype(JSContext *cx, const Class *clasp, Handle<TaggedProto> proto)
 {
     JS_ASSERT(cx->compartment() == compartment());
     RootedObject self(cx, this);
     /*
      * For singleton types representing only a single JSObject, the proto
      * can be rearranged as needed without destroying type information for
      * the old or new types.
      */
     JS_ASSERT(self->hasSingletonType());
     /* Inner objects may not appear on prototype chains. */
     JS_ASSERT_IF(proto.isObject(), !proto.toObject()->getClass()->ext.outerObject);
     /*
      * Force type instantiation when splicing lazy types. This may fail,
      * in which case inference will be disabled for the compartment.
      */
     Rooted<TypeObject*> type(cx, self->getType(cx));
     if (!type)
         return false;
     Rooted<TypeObject*> protoType(cx, nullptr);
     if (proto.isObject()) {
         protoType = proto.toObject()->getType(cx);
         if (!protoType)
             return false;
     }
     type->setClasp(clasp);
     type->setProto(cx, proto);
     return true;
 }
 /* static */ TypeObject *
 JSObject::makeLazyType(JSContext *cx, HandleObject obj)
 {
     JS_ASSERT(obj->hasLazyType());
     JS_ASSERT(cx->compartment() == obj->compartment());
     /* De-lazification of functions can GC, so we need to do it up here. */
     if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpretedLazy()) {
         RootedFunction fun(cx, &obj->as<JSFunction>());
         if (!fun->getOrCreateScript(cx))
             return nullptr;
     }
     // Find flags which need to be specified immediately on the object.
     // Don't track whether singletons are packed.
     TypeObjectFlags initialFlags = OBJECT_FLAG_NON_PACKED;
     if (obj->lastProperty()->hasObjectFlag(BaseShape::ITERATED_SINGLETON))
         initialFlags |= OBJECT_FLAG_ITERATED;
     if (obj->isIndexed())
         initialFlags |= OBJECT_FLAG_SPARSE_INDEXES;
     if (obj->is<ArrayObject>() && obj->as<ArrayObject>().length() > INT32_MAX)
         initialFlags |= OBJECT_FLAG_LENGTH_OVERFLOW;
     Rooted<TaggedProto> proto(cx, obj->getTaggedProto());
     TypeObject *type = cx->compartment()->types.newTypeObject(cx, obj->getClass(), proto, initialFlags);
     if (!type)
         return nullptr;
     AutoEnterAnalysis enter(cx);
     /* Fill in the type according to the state of this object. */
     type->initSingleton(obj);
     if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpreted())
         type->interpretedFunction = &obj->as<JSFunction>();
     obj->type_ = type;
     return type;
 }
 /* static */ inline HashNumber
 TypeObjectWithNewScriptEntry::hash(const Lookup &lookup)
 {
     return PointerHasher<JSObject *, 3>::hash(lookup.hashProto.raw()) ^
            PointerHasher<const Class *, 3>::hash(lookup.clasp) ^
            PointerHasher<JSFunction *, 3>::hash(lookup.newFunction);
 }
 /* static */ inline bool
 TypeObjectWithNewScriptEntry::match(const TypeObjectWithNewScriptEntry &key, const Lookup &lookup)
 {
     return key.object->proto() == lookup.matchProto &&
            key.object->clasp() == lookup.clasp &&
            key.newFunction == lookup.newFunction;
 }
 #ifdef DEBUG
 bool
 JSObject::hasNewType(const Class *clasp, TypeObject *type)
 {
     TypeObjectWithNewScriptSet &table = compartment()->newTypeObjects;
     if (!table.initialized())
         return false;
     TypeObjectWithNewScriptSet::Ptr p = table.lookup(TypeObjectWithNewScriptSet::Lookup(clasp, this, nullptr));
     return p && p->object == type;
 }
 #endif /* DEBUG */
 /* static */ bool
 JSObject::setNewTypeUnknown(JSContext *cx, const Class *clasp, HandleObject obj)
 {
     if (!obj->setFlag(cx, js::BaseShape::NEW_TYPE_UNKNOWN))
         return false;
     /*
      * If the object already has a new type, mark that type as unknown. It will
      * not have the SETS_MARKED_UNKNOWN bit set, so may require a type set
      * crawl if prototypes of the object change dynamically in the future.
      */
     TypeObjectWithNewScriptSet &table = cx->compartment()->newTypeObjects;
     if (table.initialized()) {
         if (TypeObjectWithNewScriptSet::Ptr p = table.lookup(TypeObjectWithNewScriptSet::Lookup(clasp, obj.get(), nullptr)))
             MarkTypeObjectUnknownProperties(cx, p->object);
     }
     return true;
 }
 #ifdef JSGC_GENERATIONAL
 /*
  * This class is used to add a post barrier on the newTypeObjects set, as the
  * key is calculated from a prototype object which may be moved by generational
  * GC.
  */
 class NewTypeObjectsSetRef : public BufferableRef
 {
     TypeObjectWithNewScriptSet *set;
     const Class *clasp;
     JSObject *proto;
     JSFunction *newFunction;
   public:
     NewTypeObjectsSetRef(TypeObjectWithNewScriptSet *s, const Class *clasp, JSObject *proto, JSFunction *newFunction)
         : set(s), clasp(clasp), proto(proto), newFunction(newFunction)
     {}
     void mark(JSTracer *trc) {
         JSObject *prior = proto;
         trc->setTracingLocation(&*prior);
         Mark(trc, &proto, "newTypeObjects set prototype");
         if (prior == proto)
             return;
         TypeObjectWithNewScriptSet::Ptr p = set->lookup(TypeObjectWithNewScriptSet::Lookup(clasp, prior, proto, newFunction));
         JS_ASSERT(p);  // newTypeObjects set must still contain original entry.
         set->rekeyAs(TypeObjectWithNewScriptSet::Lookup(clasp, prior, proto, newFunction),
                      TypeObjectWithNewScriptSet::Lookup(clasp, proto, newFunction), *p);
     }
 };
 #endif
 TypeObject *
 ExclusiveContext::getNewType(const Class *clasp, TaggedProto proto, JSFunction *fun)
 {
     JS_ASSERT_IF(fun, proto.isObject());
     JS_ASSERT_IF(proto.isObject(), isInsideCurrentCompartment(proto.toObject()));
     TypeObjectWithNewScriptSet &newTypeObjects = compartment()->newTypeObjects;
     if (!newTypeObjects.initialized() && !newTypeObjects.init())
         return nullptr;
     // Canonicalize new functions to use the original one associated with its script.
     if (fun) {
         if (fun->hasScript())
             fun = fun->nonLazyScript()->functionNonDelazifying();
         else if (fun->isInterpretedLazy() && !fun->isSelfHostedBuiltin())
             fun = fun->lazyScript()->functionNonDelazifying();
         else
             fun = nullptr;
     }
     TypeObjectWithNewScriptSet::AddPtr p =
         newTypeObjects.lookupForAdd(TypeObjectWithNewScriptSet::Lookup(clasp, proto, fun));
     if (p) {
         TypeObject *type = p->object;
         JS_ASSERT(type->clasp() == clasp);
         JS_ASSERT(type->proto() == proto);
         JS_ASSERT_IF(type->hasNewScript(), type->newScript()->fun == fun);
         return type;
     }
     AutoEnterAnalysis enter(this);
     if (proto.isObject() && !proto.toObject()->setDelegate(this))
         return nullptr;
     TypeObjectFlags initialFlags = 0;
     if (!proto.isObject() || proto.toObject()->lastProperty()->hasObjectFlag(BaseShape::NEW_TYPE_UNKNOWN)) {
         // The new type is not present in any type sets, so mark the object as
         // unknown in all type sets it appears in. This allows the prototype of
         // such objects to mutate freely without triggering an expensive walk of
         // the compartment's type sets. (While scripts normally don't mutate
         // __proto__, the browser will for proxies and such, and we need to
         // accommodate this behavior).
         initialFlags = OBJECT_FLAG_UNKNOWN_MASK | OBJECT_FLAG_SETS_MARKED_UNKNOWN;
     }
     Rooted<TaggedProto> protoRoot(this, proto);
     TypeObject *type = compartment()->types.newTypeObject(this, clasp, protoRoot, initialFlags);
     if (!type)
         return nullptr;
     if (!newTypeObjects.add(p, TypeObjectWithNewScriptEntry(type, fun)))
         return nullptr;
 #ifdef JSGC_GENERATIONAL
     if (proto.isObject() && hasNursery() && nursery().isInside(proto.toObject())) {
         asJSContext()->runtime()->gcStoreBuffer.putGeneric(
             NewTypeObjectsSetRef(&newTypeObjects, clasp, proto.toObject(), fun));
     }
 #endif
     if (proto.isObject()) {
         RootedObject obj(this, proto.toObject());
         if (fun)
             CheckNewScriptProperties(asJSContext(), type, fun);
         /*
          * Some builtin objects have slotful native properties baked in at
          * creation via the Shape::{insert,get}initialShape mechanism. Since
          * these properties are never explicitly defined on new objects, update
          * the type information for them here.
          */
         if (obj->is<RegExpObject>()) {
             AddTypePropertyId(this, type, NameToId(names().source), Type::StringType());
             AddTypePropertyId(this, type, NameToId(names().global), Type::BooleanType());
             AddTypePropertyId(this, type, NameToId(names().ignoreCase), Type::BooleanType());
             AddTypePropertyId(this, type, NameToId(names().multiline), Type::BooleanType());
             AddTypePropertyId(this, type, NameToId(names().sticky), Type::BooleanType());
             AddTypePropertyId(this, type, NameToId(names().lastIndex), Type::Int32Type());
         }
         if (obj->is<StringObject>())
             AddTypePropertyId(this, type, NameToId(names().length), Type::Int32Type());
         if (obj->is<ErrorObject>()) {
             AddTypePropertyId(this, type, NameToId(names().fileName), Type::StringType());
             AddTypePropertyId(this, type, NameToId(names().lineNumber), Type::Int32Type());
             AddTypePropertyId(this, type, NameToId(names().columnNumber), Type::Int32Type());
             AddTypePropertyId(this, type, NameToId(names().stack), Type::StringType());
         }
     }
     return type;
 }
 #if defined(JSGC_GENERATIONAL) && defined(JS_GC_ZEAL)
 void
 JSCompartment::checkNewTypeObjectTableAfterMovingGC()
 {
     /*
      * Assert that the postbarriers have worked and that nothing is left in
      * newTypeObjects that points into the nursery, and that the hash table
      * entries are discoverable.
      */
     JS::shadow::Runtime *rt = JS::shadow::Runtime::asShadowRuntime(runtimeFromMainThread());
     for (TypeObjectWithNewScriptSet::Enum e(newTypeObjects); !e.empty(); e.popFront()) {
         TypeObjectWithNewScriptEntry entry = e.front();
         JS_ASSERT(!IsInsideNursery(rt, entry.newFunction));
         TaggedProto proto = entry.object->proto();
         JS_ASSERT_IF(proto.isObject(), !IsInsideNursery(rt, proto.toObject()));
         TypeObjectWithNewScriptEntry::Lookup
             lookup(entry.object->clasp(), proto, entry.newFunction);
         TypeObjectWithNewScriptSet::Ptr ptr = newTypeObjects.lookup(lookup);
         JS_ASSERT(ptr.found() && &*ptr == &e.front());
     }
 }
 #endif
 TypeObject *
 ExclusiveContext::getSingletonType(const Class *clasp, TaggedProto proto)
 {
     JS_ASSERT_IF(proto.isObject(), compartment() == proto.toObject()->compartment());
     AutoEnterAnalysis enter(this);
     TypeObjectWithNewScriptSet &table = compartment()->lazyTypeObjects;
     if (!table.initialized() && !table.init())
         return nullptr;
     TypeObjectWithNewScriptSet::AddPtr p = table.lookupForAdd(TypeObjectWithNewScriptSet::Lookup(clasp, proto, nullptr));
     if (p) {
         TypeObject *type = p->object;
         JS_ASSERT(type->lazy());
         return type;
     }
     Rooted<TaggedProto> protoRoot(this, proto);
     TypeObject *type = compartment()->types.newTypeObject(this, clasp, protoRoot);
     if (!type)
         return nullptr;
     if (!table.add(p, TypeObjectWithNewScriptEntry(type, nullptr)))
         return nullptr;
     type->initSingleton((JSObject *) TypeObject::LAZY_SINGLETON);
     MOZ_ASSERT(type->singleton(), "created type must be a proper singleton");
     return type;
 }
 /////////////////////////////////////////////////////////////////////
 // Tracing
 /////////////////////////////////////////////////////////////////////
 void
 ConstraintTypeSet::sweep(Zone *zone, bool *oom)
 {
     /*
      * Purge references to type objects that are no longer live. Type sets hold
      * only weak references. For type sets containing more than one object,
      * live entries in the object hash need to be copied to the zone's
      * new arena.
      */
     unsigned objectCount = baseObjectCount();
     if (objectCount >= 2) {
         unsigned oldCapacity = HashSetCapacity(objectCount);
         TypeObjectKey **oldArray = objectSet;
         clearObjects();
         objectCount = 0;
         for (unsigned i = 0; i < oldCapacity; i++) {
             TypeObjectKey *object = oldArray[i];
             if (object && !IsAboutToBeFinalized(object)) {
                 TypeObjectKey **pentry =
                     HashSetInsert<TypeObjectKey *,TypeObjectKey,TypeObjectKey>
                         (zone->types.typeLifoAlloc, objectSet, objectCount, object);
                 if (pentry) {
                     *pentry = object;
                 } else {
                     *oom = true;
                     flags |= TYPE_FLAG_ANYOBJECT;
                     clearObjects();
                     objectCount = 0;
                     break;
                 }
             }
         }
         setBaseObjectCount(objectCount);
     } else if (objectCount == 1) {
         TypeObjectKey *object = (TypeObjectKey *) objectSet;
         if (IsAboutToBeFinalized(object)) {
             objectSet = nullptr;
             setBaseObjectCount(0);
         }
     }
     /*
      * Type constraints only hold weak references. Copy constraints referring
      * to data that is still live into the zone's new arena.
      */
     TypeConstraint *constraint = constraintList;
     constraintList = nullptr;
     while (constraint) {
         TypeConstraint *copy;
         if (constraint->sweep(zone->types, &copy)) {
             if (copy) {
                 copy->next = constraintList;
                 constraintList = copy;
             } else {
                 *oom = true;
             }
         }
         constraint = constraint->next;
     }
 }
 inline void
 TypeObject::clearProperties()
 {
     setBasePropertyCount(0);
     propertySet = nullptr;
 }
 /*
  * Before sweeping the arenas themselves, scan all type objects in a
  * compartment to fixup weak references: property type sets referencing dead
  * JS and type objects, and singleton JS objects whose type is not referenced
  * elsewhere. This also releases memory associated with dead type objects,
  * so that type objects do not need later finalization.
  */
 inline void
 TypeObject::sweep(FreeOp *fop, bool *oom)
 {
     if (!isMarked()) {
         if (addendum)
             fop->free_(addendum);
         return;
     }
     LifoAlloc &typeLifoAlloc = zone()->types.typeLifoAlloc;
     /*
      * Properties were allocated from the old arena, and need to be copied over
      * to the new one.
      */
     unsigned propertyCount = basePropertyCount();
     if (propertyCount >= 2) {
         unsigned oldCapacity = HashSetCapacity(propertyCount);
         Property **oldArray = propertySet;
         clearProperties();
         propertyCount = 0;
         for (unsigned i = 0; i < oldCapacity; i++) {
             Property *prop = oldArray[i];
             if (prop) {
                 if (singleton() && !prop->types.constraintList && !zone()->isPreservingCode()) {
                     /*
                      * Don't copy over properties of singleton objects when their
                      * presence will not be required by jitcode or type constraints
                      * (i.e. for the definite properties analysis). The contents of
                      * these type sets will be regenerated as necessary.
                      */
                     continue;
                 }
                 Property *newProp = typeLifoAlloc.new_<Property>(*prop);
                 if (newProp) {
                     Property **pentry =
                         HashSetInsert<jsid,Property,Property>
                             (typeLifoAlloc, propertySet, propertyCount, prop->id);
                     if (pentry) {
                         *pentry = newProp;
                         newProp->types.sweep(zone(), oom);
                         continue;
                     }
                 }
                 *oom = true;
                 addFlags(OBJECT_FLAG_DYNAMIC_MASK | OBJECT_FLAG_UNKNOWN_PROPERTIES);
                 clearProperties();
                 return;
             }
         }
         setBasePropertyCount(propertyCount);
     } else if (propertyCount == 1) {
         Property *prop = (Property *) propertySet;
         if (singleton() && !prop->types.constraintList && !zone()->isPreservingCode()) {
             // Skip, as above.
             clearProperties();
         } else {
             Property *newProp = typeLifoAlloc.new_<Property>(*prop);
             if (newProp) {
                 propertySet = (Property **) newProp;
                 newProp->types.sweep(zone(), oom);
             } else {
                 *oom = true;
                 addFlags(OBJECT_FLAG_DYNAMIC_MASK | OBJECT_FLAG_UNKNOWN_PROPERTIES);
                 clearProperties();
                 return;
             }
         }
     }
 }
 void
 TypeCompartment::clearTables()
 {
     if (allocationSiteTable && allocationSiteTable->initialized())
         allocationSiteTable->clear();
     if (arrayTypeTable && arrayTypeTable->initialized())
         arrayTypeTable->clear();
     if (objectTypeTable && objectTypeTable->initialized())
         objectTypeTable->clear();
 }
 void
 TypeCompartment::sweep(FreeOp *fop)
 {
     /*
      * Iterate through the array/object type tables and remove all entries
      * referencing collected data. These tables only hold weak references.
      */
     if (arrayTypeTable) {
         for (ArrayTypeTable::Enum e(*arrayTypeTable); !e.empty(); e.popFront()) {
             const ArrayTableKey &key = e.front().key();
             JS_ASSERT(key.type.isUnknown() || !key.type.isSingleObject());
             bool remove = false;
             TypeObject *typeObject = nullptr;
             if (!key.type.isUnknown() && key.type.isTypeObject()) {
                 typeObject = key.type.typeObject();
                 if (IsTypeObjectAboutToBeFinalized(&typeObject))
                     remove = true;
             }
             if (IsTypeObjectAboutToBeFinalized(e.front().value().unsafeGet()))
                 remove = true;
             if (remove) {
                 e.removeFront();
             } else if (typeObject && typeObject != key.type.typeObject()) {
                 ArrayTableKey newKey;
                 newKey.type = Type::ObjectType(typeObject);
                 newKey.proto = key.proto;
                 e.rekeyFront(newKey);
             }
         }
     }
     if (objectTypeTable) {
         for (ObjectTypeTable::Enum e(*objectTypeTable); !e.empty(); e.popFront()) {
             const ObjectTableKey &key = e.front().key();
             ObjectTableEntry &entry = e.front().value();
             bool remove = false;
             if (IsTypeObjectAboutToBeFinalized(entry.object.unsafeGet()))
                 remove = true;
             if (IsShapeAboutToBeFinalized(entry.shape.unsafeGet()))
                 remove = true;
             for (unsigned i = 0; !remove && i < key.nproperties; i++) {
                 if (JSID_IS_STRING(key.properties[i])) {
                     JSString *str = JSID_TO_STRING(key.properties[i]);
                     if (IsStringAboutToBeFinalized(&str))
                         remove = true;
                     JS_ASSERT(AtomToId((JSAtom *)str) == key.properties[i]);
                 }
                 JS_ASSERT(!entry.types[i].isSingleObject());
                 TypeObject *typeObject = nullptr;
                 if (entry.types[i].isTypeObject()) {
                     typeObject = entry.types[i].typeObject();
                     if (IsTypeObjectAboutToBeFinalized(&typeObject))
                         remove = true;
                     else if (typeObject != entry.types[i].typeObject())
                         entry.types[i] = Type::ObjectType(typeObject);
                 }
             }
             if (remove) {
                 js_free(key.properties);
                 js_free(entry.types);
                 e.removeFront();
             }
         }
     }
     if (allocationSiteTable) {
         for (AllocationSiteTable::Enum e(*allocationSiteTable); !e.empty(); e.popFront()) {
             AllocationSiteKey key = e.front().key();
             bool keyDying = IsScriptAboutToBeFinalized(&key.script);
             bool valDying = IsTypeObjectAboutToBeFinalized(e.front().value().unsafeGet());
             if (keyDying || valDying)
                 e.removeFront();
             else if (key.script != e.front().key().script)
                 e.rekeyFront(key);
         }
     }
 }
 void
 JSCompartment::sweepNewTypeObjectTable(TypeObjectWithNewScriptSet &table)
 {
     gcstats::AutoPhase ap(runtimeFromMainThread()->gcStats,
                           gcstats::PHASE_SWEEP_TABLES_TYPE_OBJECT);
     JS_ASSERT(zone()->isGCSweeping());
     if (table.initialized()) {
         for (TypeObjectWithNewScriptSet::Enum e(table); !e.empty(); e.popFront()) {
             TypeObjectWithNewScriptEntry entry = e.front();
             if (IsTypeObjectAboutToBeFinalized(entry.object.unsafeGet())) {
                 e.removeFront();
             } else if (entry.newFunction && IsObjectAboutToBeFinalized(&entry.newFunction)) {
                 e.removeFront();
             } else if (entry.object != e.front().object) {
                 TypeObjectWithNewScriptSet::Lookup lookup(entry.object->clasp(),
                                                           entry.object->proto(),
                                                           entry.newFunction);
                 e.rekeyFront(lookup, entry);
             }
         }
     }
 }
 TypeCompartment::~TypeCompartment()
 {
     js_delete(arrayTypeTable);
     js_delete(objectTypeTable);
     js_delete(allocationSiteTable);
 }
 /* static */ void
 TypeScript::Sweep(FreeOp *fop, JSScript *script, bool *oom)
 {
     JSCompartment *compartment = script->compartment();
     JS_ASSERT(compartment->zone()->isGCSweeping());
     unsigned num = NumTypeSets(script);
     StackTypeSet *typeArray = script->types->typeArray();
     /* Remove constraints and references to dead objects from the persistent type sets. */
     for (unsigned i = 0; i < num; i++)
         typeArray[i].sweep(compartment->zone(), oom);
 }
 void
 TypeScript::destroy()
 {
     js_free(this);
 }
 void
 Zone::addSizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf,
                              size_t *typePool,
                              size_t *baselineStubsOptimized)
 {
     *typePool += types.typeLifoAlloc.sizeOfExcludingThis(mallocSizeOf);
 #ifdef JS_ION
     if (jitZone()) {
         *baselineStubsOptimized +=
             jitZone()->optimizedStubSpace()->sizeOfExcludingThis(mallocSizeOf);
     }
 #endif
 }
 void
 TypeCompartment::addSizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf,
                                         size_t *allocationSiteTables,
                                         size_t *arrayTypeTables,
                                         size_t *objectTypeTables)
 {
     if (allocationSiteTable)
         *allocationSiteTables += allocationSiteTable->sizeOfIncludingThis(mallocSizeOf);
     if (arrayTypeTable)
         *arrayTypeTables += arrayTypeTable->sizeOfIncludingThis(mallocSizeOf);
     if (objectTypeTable) {
         *objectTypeTables += objectTypeTable->sizeOfIncludingThis(mallocSizeOf);
         for (ObjectTypeTable::Enum e(*objectTypeTable);
              !e.empty();
              e.popFront())
         {
             const ObjectTableKey &key = e.front().key();
             const ObjectTableEntry &value = e.front().value();
             /* key.ids and values.types have the same length. */
             *objectTypeTables += mallocSizeOf(key.properties) + mallocSizeOf(value.types);
         }
     }
 }
 size_t
 TypeObject::sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const
 {
     return mallocSizeOf(addendum);
 }
 TypeZone::TypeZone(Zone *zone)
   : zone_(zone),
     typeLifoAlloc(TYPE_LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
     compilerOutputs(nullptr),
     pendingRecompiles(nullptr)
 {
 }
 TypeZone::~TypeZone()
 {
     js_delete(compilerOutputs);
     js_delete(pendingRecompiles);
 }
 void
 TypeZone::sweep(FreeOp *fop, bool releaseTypes, bool *oom)
 {
     JS_ASSERT(zone()->isGCSweeping());
     JSRuntime *rt = fop->runtime();
     /*
      * Clear the analysis pool, but don't release its data yet. While
      * sweeping types any live data will be allocated into the pool.
      */
     LifoAlloc oldAlloc(typeLifoAlloc.defaultChunkSize());
     oldAlloc.steal(&typeLifoAlloc);
     /* Sweep and find compressed indexes for each compiler output. */
     size_t newCompilerOutputCount = 0;
 #ifdef JS_ION
     if (compilerOutputs) {
         for (size_t i = 0; i < compilerOutputs->length(); i++) {
             CompilerOutput &output = (*compilerOutputs)[i];
             if (output.isValid()) {
                 JSScript *script = output.script();
                 if (IsScriptAboutToBeFinalized(&script)) {
                     jit::GetIonScript(script, output.mode())->recompileInfoRef() = uint32_t(-1);
                     output.invalidate();
                 } else {
                     output.setSweepIndex(newCompilerOutputCount++);
                 }
             }
         }
     }
 #endif
     {
         gcstats::AutoPhase ap2(rt->gcStats, gcstats::PHASE_DISCARD_TI);
         for (CellIterUnderGC i(zone(), FINALIZE_SCRIPT); !i.done(); i.next()) {
             JSScript *script = i.get<JSScript>();
             if (script->types) {
                 types::TypeScript::Sweep(fop, script, oom);
                 if (releaseTypes) {
                     if (script->hasParallelIonScript()) {
 #ifdef JS_ION
                         // It's possible that we preserved the parallel
                         // IonScript. The heuristic for their preservation is
                         // independent of general JIT code preservation.
                         MOZ_ASSERT(jit::ShouldPreserveParallelJITCode(rt, script));
                         script->parallelIonScript()->recompileInfoRef().shouldSweep(*this);
 #else
                         MOZ_CRASH();
 #endif
                     } else {
                         script->types->destroy();
                         script->types = nullptr;
                         /*
                          * Freeze constraints on stack type sets need to be
                          * regenerated the next time the script is analyzed.
                          */
                         script->clearHasFreezeConstraints();
                     }
                     JS_ASSERT(!script->hasIonScript());
                 } else {
                     /* Update the recompile indexes in any IonScripts still on the script. */
                     if (script->hasIonScript())
                         script->ionScript()->recompileInfoRef().shouldSweep(*this);
                     if (script->hasParallelIonScript())
                         script->parallelIonScript()->recompileInfoRef().shouldSweep(*this);
                 }
             }
         }
     }
     {
         gcstats::AutoPhase ap2(rt->gcStats, gcstats::PHASE_SWEEP_TYPES);
         for (gc::CellIterUnderGC iter(zone(), gc::FINALIZE_TYPE_OBJECT);
              !iter.done(); iter.next())
         {
             TypeObject *object = iter.get<TypeObject>();
             object->sweep(fop, oom);
         }
         for (CompartmentsInZoneIter comp(zone()); !comp.done(); comp.next())
             comp->types.sweep(fop);
     }
     if (compilerOutputs) {
         size_t sweepIndex = 0;
         for (size_t i = 0; i < compilerOutputs->length(); i++) {
             CompilerOutput output = (*compilerOutputs)[i];
             if (output.isValid()) {
                 JS_ASSERT(sweepIndex == output.sweepIndex());
                 output.invalidateSweepIndex();
                 (*compilerOutputs)[sweepIndex++] = output;
             }
         }
         JS_ASSERT(sweepIndex == newCompilerOutputCount);
         JS_ALWAYS_TRUE(compilerOutputs->resize(newCompilerOutputCount));
     }
     {
         gcstats::AutoPhase ap2(rt->gcStats, gcstats::PHASE_FREE_TI_ARENA);
         rt->freeLifoAlloc.transferFrom(&oldAlloc);
     }
 }
 void
 TypeZone::clearAllNewScriptAddendumsOnOOM()
 {
     for (gc::CellIterUnderGC iter(zone(), gc::FINALIZE_TYPE_OBJECT);
          !iter.done(); iter.next())
     {
         TypeObject *object = iter.get<TypeObject>();
         object->maybeClearNewScriptAddendumOnOOM();
     }
 }
 #ifdef DEBUG
 void
 TypeScript::printTypes(JSContext *cx, HandleScript script) const
 {
     JS_ASSERT(script->types == this);
     if (!script->hasBaselineScript())
         return;
     AutoEnterAnalysis enter(nullptr, script->compartment());
     if (script->functionNonDelazifying())
         fprintf(stderr, "Function");
     else if (script->isForEval())
         fprintf(stderr, "Eval");
     else
         fprintf(stderr, "Main");
     fprintf(stderr, " #%u %s:%d ", script->id(), script->filename(), (int) script->lineno());
     if (script->functionNonDelazifying()) {
         if (js::PropertyName *name = script->functionNonDelazifying()->name()) {
             const jschar *chars = name->getChars(nullptr);
             JSString::dumpChars(chars, name->length());
         }
     }
     fprintf(stderr, "\n    this:");
     TypeScript::ThisTypes(script)->print();
     for (unsigned i = 0;
          script->functionNonDelazifying() && i < script->functionNonDelazifying()->nargs();
          i++)
     {
         fprintf(stderr, "\n    arg%u:", i);
         TypeScript::ArgTypes(script, i)->print();
     }
     fprintf(stderr, "\n");
     for (jsbytecode *pc = script->code(); pc < script->codeEnd(); pc += GetBytecodeLength(pc)) {
         PrintBytecode(cx, script, pc);
         if (js_CodeSpec[*pc].format & JOF_TYPESET) {
             StackTypeSet *types = TypeScript::BytecodeTypes(script, pc);
             fprintf(stderr, "  typeset %u:", unsigned(types - typeArray()));
             types->print();
             fprintf(stderr, "\n");
         }
     }
     fprintf(stderr, "\n");
 }
 #endif /* DEBUG */
 /////////////////////////////////////////////////////////////////////
 // Binary data
 /////////////////////////////////////////////////////////////////////
 void
 TypeObject::setAddendum(TypeObjectAddendum *addendum)
 {
     this->addendum = addendum;
 }
 bool
 TypeObject::addTypedObjectAddendum(JSContext *cx, Handle<TypeDescr*> descr)
 {
     // Type descriptors are always pre-tenured. This is both because
     // we expect them to live a long time and so that they can be
     // safely accessed during ion compilation.
     JS_ASSERT(!IsInsideNursery(cx->runtime(), descr));
     JS_ASSERT(descr);
     if (flags() & OBJECT_FLAG_ADDENDUM_CLEARED)
         return true;
     JS_ASSERT(!unknownProperties());
     if (addendum) {
         JS_ASSERT(hasTypedObject());
         JS_ASSERT(&typedObject()->descr() == descr);
         return true;
     }
     TypeTypedObject *typedObject = js_new<TypeTypedObject>(descr);
     if (!typedObject)
         return false;
     addendum = typedObject;
     return true;
 }
 /////////////////////////////////////////////////////////////////////
 // Type object addenda constructor
 /////////////////////////////////////////////////////////////////////
 TypeObjectAddendum::TypeObjectAddendum(Kind kind)
   : kind(kind)
 {}
 TypeNewScript::TypeNewScript()
   : TypeObjectAddendum(NewScript)
 {}
 TypeTypedObject::TypeTypedObject(Handle<TypeDescr*> descr)
   : TypeObjectAddendum(TypedObject),
     descr_(descr)
 {
 }
 TypeDescr &
 js::types::TypeTypedObject::descr() {
     return descr_->as<TypeDescr>();
 }

The Tor Browser / annotate

js/src/jsinfer.cpp@a63d609f5ebe (annotated)

js/src/jsinfer.cpp