Bug 852342 - Clone CallInfo as it is mutated by addTypeBarrier. r=h4writer

2024-09-13 09:24:08 -07:00 · 2013-03-20 10:36:32 -07:00 · 2013-03-20 10:36:32 -07:00 · 6805786a30
commit 6805786a30
parent 84b820b84b
3 changed files with 29 additions and 7 deletions
--- a/js/src/ion/IonBuilder.cpp
+++ b/js/src/ion/IonBuilder.cpp
@ -2941,18 +2941,26 @@ IonBuilder::inlineScriptedCall(HandleFunction target, CallInfo &callInfo)
    if (!oracle.init(cx, calleeScript))
        return false;

+    // Copy the CallInfo as the addTypeBarrier is mutating it.
+    bool argsBarrier = callInfo.argsBarrier();
+    CallInfo clonedCallInfo(cx, callInfo.constructing());
+    CallInfo &thisCall = argsBarrier ? clonedCallInfo : callInfo;
+
    // Add exclude type barriers.
-    if (callInfo.argsBarrier()) {
-        addTypeBarrier(0, callInfo, oracle.thisTypeSet(calleeScript));
-        int32_t max = (callInfo.argc() < target->nargs) ? callInfo.argc() : target->nargs;
+    if (argsBarrier) {
+        if (!thisCall.init(callInfo))
+            return false;
+
+        addTypeBarrier(0, thisCall, oracle.thisTypeSet(calleeScript));
+        int32_t max = (thisCall.argc() < target->nargs) ? thisCall.argc() : target->nargs;
        for (int32_t i = 1; i <= max; i++)
-            addTypeBarrier(i, callInfo, oracle.parameterTypeSet(calleeScript, i - 1));
+            addTypeBarrier(i, thisCall, oracle.parameterTypeSet(calleeScript, i - 1));
    }

    // Start inlining.
    LifoAlloc *alloc = GetIonContext()->temp->lifoAlloc();
    CompileInfo *info = alloc->new_<CompileInfo>(calleeScript.get(), target,
-                                                 (jsbytecode *)NULL, callInfo.constructing(),
+                                                 (jsbytecode *)NULL, thisCall.constructing(),
                                                 SequentialExecution);
    if (!info)
        return false;
@ -2962,7 +2970,7 @@ IonBuilder::inlineScriptedCall(HandleFunction target, CallInfo &callInfo)

    // Build the graph.
    IonBuilder inlineBuilder(cx, &temp(), &graph(), &oracle, info, inliningDepth_ + 1, loopDepth_);
-    if (!inlineBuilder.buildInline(this, outerResumePoint, callInfo)) {
+    if (!inlineBuilder.buildInline(this, outerResumePoint, thisCall)) {
        JS_ASSERT(calleeScript->hasAnalysis());

        // Inlining the callee failed. Disable inlining the function
@ -2990,7 +2998,7 @@ IonBuilder::inlineScriptedCall(HandleFunction target, CallInfo &callInfo)

    // Accumulate return values.
    MIRGraphExits &exits = *inlineBuilder.graph().exitAccumulator();
-    MDefinition *retvalDefn = patchInlinedReturns(callInfo, exits, returnBlock);
+    MDefinition *retvalDefn = patchInlinedReturns(thisCall, exits, returnBlock);
    if (!retvalDefn)
        return false;
    returnBlock->push(retvalDefn);
--- a/js/src/ion/IonBuilder.h
+++ b/js/src/ion/IonBuilder.h
@ -607,6 +607,8 @@ class CallInfo
        if (callInfo.hasTypeInfo())
            setTypeInfo(callInfo.types(), callInfo.barrier());

+        argsBarriers_ = callInfo.argsBarriers_;
+
        return true;
    }

--- a/js/src/jit-test/tests/ion/bug852342.js
+++ b/js/src/jit-test/tests/ion/bug852342.js
@ -0,0 +1,12 @@
+
+function A(a) { }
+function B(b) { this.b = b; }
+function C(c) {}
+function makeArray(n) {
+    var classes = [A, B, C];
+    var arr = [];
+    for (var i = (" "); i < n; i++) {
+        arr.push(new classes[i % 3](i % 3));
+    }
+}
+makeArray(30000);