From 3a4f720cea9ba3d593089620e75e277c9168b4ea Mon Sep 17 00:00:00 2001 From: Brian Hackett Date: Tue, 7 Jul 2015 17:38:24 -0700 Subject: [PATCH] Bug 1175714 - Watch for baseline frame values with nursery types during OSR, r=jandem. --- js/src/jit/IonBuilder.cpp | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-) diff --git a/js/src/jit/IonBuilder.cpp b/js/src/jit/IonBuilder.cpp index 7c1bdf9fb05..80376c82797 100644 --- a/js/src/jit/IonBuilder.cpp +++ b/js/src/jit/IonBuilder.cpp @@ -1095,8 +1095,12 @@ IonBuilder::initParameters() // interpreter and didn't accumulate type information, try to use that OSR // frame to determine possible initial types for 'this' and parameters. - if (thisTypes->empty() && baselineFrame_) - thisTypes->addType(baselineFrame_->thisType, alloc_->lifoAlloc()); + if (thisTypes->empty() && baselineFrame_) { + TypeSet::Type type = baselineFrame_->thisType; + if (type.isSingletonUnchecked()) + checkNurseryObject(type.singleton()); + thisTypes->addType(type, alloc_->lifoAlloc()); + } MParameter* param = MParameter::New(alloc(), MParameter::THIS_SLOT, thisTypes); current->add(param); @@ -1107,7 +1111,10 @@ IonBuilder::initParameters() if (types->empty() && baselineFrame_ && !script_->baselineScript()->modifiesArguments()) { - types->addType(baselineFrame_->argTypes[i], alloc_->lifoAlloc()); + TypeSet::Type type = baselineFrame_->argTypes[i]; + if (type.isSingletonUnchecked()) + checkNurseryObject(type.singleton()); + types->addType(type, alloc_->lifoAlloc()); } param = MParameter::New(alloc(), i, types); @@ -6995,6 +7002,9 @@ IonBuilder::newPendingLoopHeader(MBasicBlock* predecessor, jsbytecode* pc, bool else existingType = baselineFrame_->varTypes[var]; + if (existingType.isSingletonUnchecked()) + checkNurseryObject(existingType.singleton()); + // Extract typeset from value. LifoAlloc* lifoAlloc = alloc().lifoAlloc(); TemporaryTypeSet* typeSet =