Bug 909601 - Don't optimize common accessors on objects with {get,set}Generic hooks. (r=jandem)

2024-09-13 09:24:08 -07:00 · 2013-08-28 16:12:58 -07:00 · 2013-08-28 16:12:58 -07:00 · 61a2982620
commit 61a2982620
parent 725c93a76e
2 changed files with 52 additions and 25 deletions
--- a/js/src/jit-test/tests/ion/bug909601.js
+++ b/js/src/jit-test/tests/ion/bug909601.js
@ -0,0 +1,10 @@
+// |jit-test| ion-eager
+for (var i=0; i<3; i++)
+    z = new Int32Array;
+
+function f() {
+    z.__proto__ = 2;
+}
+
+for (var i=0; i<3; i++)
+    f();
--- a/js/src/jit/IonBuilder.cpp
+++ b/js/src/jit/IonBuilder.cpp
@ -7601,6 +7601,13 @@ IonBuilder::TestCommonPropFunc(JSContext *cx, types::StackTypeSet *types, Handle
            if (typeObj->unknownProperties())
                return true;

+            // If the class of the object has a hook, we can't
+            // inline, as we would need to call the hook.
+            if (isGetter && typeObj->clasp->ops.getGeneric)
+                return true;
+            if (!isGetter && typeObj->clasp->ops.setGeneric)
+                return true;
+
            // If the type has an own property, we can't be sure we don't shadow
            // the chain.
            types::HeapTypeSet *propSet = typeObj->getProperty(cx, types::IdToTypeId(id), false);
@ -7662,13 +7669,21 @@ IonBuilder::TestCommonPropFunc(JSContext *cx, types::StackTypeSet *types, Handle
        else if (foundProto != proto)
            return true;

+        JSObject *stopAt = foundProto->getProto();
+        while (curObj != stopAt) {
+            // Don't optimize if we have a hook that would have to be called.
+            if (isGetter && curObj->getClass()->ops.getGeneric)
+                return true;
+            if (!isGetter && curObj->getClass()->ops.setGeneric)
+                return true;
+
            // Check here to make sure that everyone has Type Objects with known
            // properties between them and the proto we found the accessor on. We
            // need those to add freezes safely. NOTE: We do not do this above, as
            // we may be able to freeze all the types up to where we found the
            // property, even if there are unknown types higher in the prototype
            // chain.
-        while (curObj != foundProto) {
+            if (curObj != foundProto) {
                types::TypeObject *typeObj = curObj->getType(cx);
                if (!typeObj)
                    return false;
@ -7685,11 +7700,13 @@ IonBuilder::TestCommonPropFunc(JSContext *cx, types::StackTypeSet *types, Handle
                // Even though we are not directly accessing the properties on the whole
                // prototype chain, we need to fault in the sets anyway, as we need
                // to freeze on them.
-            types::HeapTypeSet *propSet = typeObj->getProperty(cx, types::IdToTypeId(id), false);
+                types::HeapTypeSet *propSet =
+                    typeObj->getProperty(cx, types::IdToTypeId(id), false);
                if (!propSet)
                    return false;
                if (propSet->ownProperty(false))
                    return true;
+            }

            curObj = curObj->getProto();
        }