Bug 935032 - Fix miscellaneous uses of JSContext in IonBuilder, r=shu,jandem.

js/src/builtin/ParallelArray.cpp

@@ -95,6 +95,16 @@ ParallelArrayObject::construct(JSContext *cx, unsigned argc, Value *vp)
     return constructHelper(cx, &ctor, args);
 }
 
+/* static */ JSFunction *
+ParallelArrayObject::maybeGetConstructor(GlobalObject *global, unsigned argc)
+{
+    PropertyName *ctorName = ctorNames[js::Min(argc, NumCtors - 1)];
+    Value ctorValue;
+    if (!global->maybeGetIntrinsicValue(ctorName, &ctorValue))
+        return nullptr;
+    JS_ASSERT(ctorValue.isObject() && ctorValue.toObject().is<JSFunction>());
+    return &ctorValue.toObject().as<JSFunction>();
+}
 
 /* static */ JSFunction *
 ParallelArrayObject::getConstructor(JSContext *cx, unsigned argc)

js/src/builtin/ParallelArray.h

@@ -40,6 +40,7 @@ class ParallelArrayObject : public JSObject
     static JSObject *newInstance(JSContext *cx, NewObjectKind newKind = GenericObject);
 
     // Get the constructor function for argc number of arguments.
+    static JSFunction *maybeGetConstructor(GlobalObject *global, unsigned argc);
     static JSFunction *getConstructor(JSContext *cx, unsigned argc);
 
     static JSObject *initClass(JSContext *cx, HandleObject obj);

js/src/jit/BaselineIC.cpp

@@ -7459,6 +7459,19 @@ GetTemplateObjectForNative(JSContext *cx, HandleScript script, jsbytecode *pc,
         return true;
     }
 
+    if (native == intrinsic_NewParallelArray || native == ParallelArrayObject::construct) {
+        res.set(ParallelArrayObject::newInstance(cx, TenuredObject));
+        if (!res)
+            return false;
+
+        types::TypeObject *type =
+            types::TypeScript::InitObject(cx, script, pc, JSProto_ParallelArray);
+        if (!type)
+            return false;
+        res->setType(type);
+        return true;
+    }
+
     return true;
 }
 

js/src/jit/IonBuilder.h

@@ -587,7 +587,8 @@ class IonBuilder : public MIRGenerator
                                            JSFunction *target,
                                            MDefinition *ctor,
                                            types::TemporaryTypeSet *ctorTypes,
-                                           uint32_t discards);
+                                           uint32_t discards,
+                                           Native native);
 
     // Utility intrinsics.
     InliningStatus inlineIsCallable(CallInfo &callInfo);

js/src/jit/MCallOptimize.cpp

@@ -186,11 +186,11 @@ IonBuilder::inlineMathFunction(CallInfo &callInfo, MMathFunction::Function funct
     if (!IsNumberType(callInfo.getArg(0)->type()))
         return InliningStatus_NotInlined;
 
-    callInfo.unwrapArgs();
-
-    MathCache *cache = cx->runtime()->getMathCache(cx);
+    MathCache *cache = compartment->runtimeFromAnyThread()->maybeGetMathCache();
     if (!cache)
-        return InliningStatus_Error;
+        return InliningStatus_NotInlined;
+
+    callInfo.unwrapArgs();
 
     MMathFunction *ins = MMathFunction::New(callInfo.getArg(0), function, cache);
     current->add(ins);
@@ -317,8 +317,7 @@ IonBuilder::inlineArrayPopShift(CallInfo &callInfo, MArrayPopShift::Mode mode)
     if (thisTypes->hasObjectFlags(constraints(), unhandledFlags))
         return InliningStatus_NotInlined;
 
-    RootedScript scriptRoot(cx, script());
-    if (types::ArrayPrototypeHasIndexedProperty(constraints(), scriptRoot))
+    if (types::ArrayPrototypeHasIndexedProperty(constraints(), script()))
         return InliningStatus_NotInlined;
 
     callInfo.unwrapArgs();
@@ -376,8 +375,7 @@ IonBuilder::inlineArrayPush(CallInfo &callInfo)
         return InliningStatus_NotInlined;
     }
 
-    RootedScript scriptRoot(cx, script());
-    if (types::ArrayPrototypeHasIndexedProperty(constraints(), scriptRoot))
+    if (types::ArrayPrototypeHasIndexedProperty(constraints(), script()))
         return InliningStatus_NotInlined;
 
     types::TemporaryTypeSet::DoubleConversion conversion =
@@ -445,8 +443,7 @@ IonBuilder::inlineArrayConcat(CallInfo &callInfo)
     }
 
     // Watch out for indexed properties on the prototype.
-    RootedScript scriptRoot(cx, script());
-    if (types::ArrayPrototypeHasIndexedProperty(constraints(), scriptRoot))
+    if (types::ArrayPrototypeHasIndexedProperty(constraints(), script()))
         return InliningStatus_NotInlined;
 
     // Require the 'this' types to have a specific type matching the current
@@ -732,11 +729,10 @@ IonBuilder::inlineMathPow(CallInfo &callInfo)
     MDefinition *output = nullptr;
 
     // Optimize some constant powers.
-    if (callInfo.getArg(1)->isConstant()) {
-        double pow;
-        Value v = callInfo.getArg(1)->toConstant()->value();
-        if (!ToNumber(GetIonContext()->cx, v, &pow))
-            return InliningStatus_Error;
+    if (callInfo.getArg(1)->isConstant() &&
+        callInfo.getArg(1)->toConstant()->value().isNumber())
+    {
+        double pow = callInfo.getArg(1)->toConstant()->value().toNumber();
 
         // Math.pow(x, 0.5) is a sqrt with edge-case detection.
         if (pow == 0.5) {
@@ -1236,7 +1232,8 @@ IonBuilder::inlineNewParallelArray(CallInfo &callInfo)
 
     // Discard the function.
     return inlineParallelArrayTail(callInfo, target, ctor,
-                                   target ? nullptr : ctorTypes, 1);
+                                   target ? nullptr : ctorTypes, 1,
+                                   intrinsic_NewParallelArray);
 }
 
 IonBuilder::InliningStatus
@@ -1246,9 +1243,9 @@ IonBuilder::inlineParallelArray(CallInfo &callInfo)
         return InliningStatus_NotInlined;
 
     uint32_t argc = callInfo.argc();
-    JSFunction *target = ParallelArrayObject::getConstructor(cx, argc);
+    JSFunction *target = ParallelArrayObject::maybeGetConstructor(&script()->global(), argc);
     if (!target)
-        return InliningStatus_Error;
+        return InliningStatus_NotInlined;
 
     JS_ASSERT(target->nonLazyScript()->shouldCloneAtCallsite);
     if (JSFunction *clone = ExistingCloneFunctionAtCallsite(compartment, target, script(), pc))
@@ -1257,7 +1254,8 @@ IonBuilder::inlineParallelArray(CallInfo &callInfo)
     MConstant *ctor = MConstant::New(ObjectValue(*target));
     current->add(ctor);
 
-    return inlineParallelArrayTail(callInfo, target, ctor, nullptr, 0);
+    return inlineParallelArrayTail(callInfo, target, ctor, nullptr, 0,
+                                   ParallelArrayObject::construct);
 }
 
 IonBuilder::InliningStatus
@@ -1265,7 +1263,8 @@ IonBuilder::inlineParallelArrayTail(CallInfo &callInfo,
                                     JSFunction *target,
                                     MDefinition *ctor,
                                     types::TemporaryTypeSet *ctorTypes,
-                                    uint32_t discards)
+                                    uint32_t discards,
+                                    Native native)
 {
     // Rewrites either NewParallelArray(...) or new ParallelArray(...) from a
     // call to a native ctor into a call to the relevant function in the
@@ -1285,6 +1284,10 @@ IonBuilder::inlineParallelArrayTail(CallInfo &callInfo,
     if (!typeObject || typeObject->clasp != &ParallelArrayObject::class_)
         return InliningStatus_NotInlined;
 
+    JSObject *templateObject = inspector->getTemplateObjectForNative(pc, native);
+    if (!templateObject || templateObject->type() != typeObject)
+        return InliningStatus_NotInlined;
+
     // Create the call and add in the non-this arguments.
     uint32_t targetArgs = argc;
     if (target && !target->isNative())
@@ -1327,10 +1330,6 @@ IonBuilder::inlineParallelArrayTail(CallInfo &callInfo,
 
     // Create the MIR to allocate the new parallel array.  Take the type
     // object is taken from the prediction set.
-    JSObject *templateObject = ParallelArrayObject::newInstance(cx, TenuredObject);
-    if (!templateObject)
-        return InliningStatus_Error;
-    templateObject->setType(typeObject);
     MNewParallelArray *newObject = MNewParallelArray::New(templateObject);
     current->add(newObject);
     MPassArg *newThis = MPassArg::New(newObject);

js/src/jsinfer.cpp

@@ -1971,8 +1971,7 @@ PrototypeHasIndexedProperty(CompilerConstraintList *constraints, JSObject *obj)
 }
 
 bool
-types::ArrayPrototypeHasIndexedProperty(CompilerConstraintList *constraints,
-                                        HandleScript script)
+types::ArrayPrototypeHasIndexedProperty(CompilerConstraintList *constraints, JSScript *script)
 {
     if (JSObject *proto = script->global().maybeGetArrayPrototype())
         return PrototypeHasIndexedProperty(constraints, proto);

js/src/jsinfer.h

@@ -1116,7 +1116,7 @@ UseNewTypeForClone(JSFunction *fun);
  * indexed property.
  */
 bool
-ArrayPrototypeHasIndexedProperty(CompilerConstraintList *constraints, HandleScript script);
+ArrayPrototypeHasIndexedProperty(CompilerConstraintList *constraints, JSScript *script);
 
 /* Whether obj or any of its prototypes have an indexed property. */
 bool

js/src/vm/Runtime.h

@@ -1379,6 +1379,9 @@ struct JSRuntime : public JS::shadow::Runtime,
     js::MathCache *getMathCache(JSContext *cx) {
         return mathCache_ ? mathCache_ : createMathCache(cx);
     }
+    js::MathCache *maybeGetMathCache() {
+        return mathCache_;
+    }
 
     js::GSNCache        gsnCache;
     js::NewObjectCache  newObjectCache;