Bug 1115886 - Store TypeObject::interpretedFunction in its addendum, r=jandem.

js/src/gc/Marking.cpp

@@ -1452,8 +1452,8 @@ ScanTypeObject(GCMarker *gcmarker, types::TypeObject *type)
     if (TypeDescr *descr = type->maybeTypeDescr())
         PushMarkStack(gcmarker, descr);
 
-    if (type->interpretedFunction)
-        PushMarkStack(gcmarker, type->interpretedFunction);
+    if (JSFunction *fun = type->maybeInterpretedFunction())
+        PushMarkStack(gcmarker, fun);
 }
 
 static void
@@ -1480,8 +1480,10 @@ gc::MarkChildren(JSTracer *trc, types::TypeObject *type)
         type->setTypeDescr(&descr->as<TypeDescr>());
     }
 
-    if (type->interpretedFunction)
-        MarkObject(trc, &type->interpretedFunction, "type_function");
+    if (JSObject *fun = type->maybeInterpretedFunction()) {
+        MarkObjectUnbarriered(trc, &fun, "type_function");
+        type->setInterpretedFunction(&fun->as<JSFunction>());
+    }
 }
 
 static void

js/src/jit/IonBuilder.cpp

@@ -296,12 +296,13 @@ IonBuilder::getPolyCallTargets(types::TemporaryTypeSet *calleeTypes, bool constr
         if (!obj) {
             types::TypeObject *typeObj = calleeTypes->getTypeObject(i);
             MOZ_ASSERT(typeObj);
-            if (!typeObj->interpretedFunction) {
+            obj = typeObj->maybeInterpretedFunction();
+
+            if (!obj) {
                 targets.clear();
                 return true;
             }
 
-            obj = typeObj->interpretedFunction;
             *gotLambda = true;
         }
 

js/src/jsfun.cpp

@@ -870,7 +870,7 @@ CreateFunctionPrototype(JSContext *cx, JSProtoKey key)
     if (!protoType)
         return nullptr;
 
-    protoType->interpretedFunction = functionProto;
+    protoType->setInterpretedFunction(functionProto);
     script->setFunction(functionProto);
 
     /*

js/src/jsinfer.cpp

@@ -3344,7 +3344,7 @@ TypeObject::print()
             fprintf(stderr, " noLengthOverflow");
         if (hasAnyFlags(OBJECT_FLAG_ITERATED))
             fprintf(stderr, " iterated");
-        if (interpretedFunction)
+        if (maybeInterpretedFunction())
             fprintf(stderr, " ifun");
     }
 
@@ -3749,7 +3749,7 @@ JSFunction::setTypeForScriptedFunction(ExclusiveContext *cx, HandleFunction fun,
             return false;
 
         fun->setType(type);
-        type->interpretedFunction = fun;
+        type->setInterpretedFunction(fun);
     }
 
     return true;
@@ -4319,7 +4319,7 @@ JSObject::makeLazyType(JSContext *cx, HandleObject obj)
     type->initSingleton(obj);
 
     if (obj->is<JSFunction>() && obj->as<JSFunction>().isInterpreted())
-        type->interpretedFunction = &obj->as<JSFunction>();
+        type->setInterpretedFunction(&obj->as<JSFunction>());
 
     obj->type_ = type;
 
@@ -4950,12 +4950,14 @@ TypeObject::fixupAfterMovingGC()
             if (IsForwarded(&typeDescr()))
                 addendum_ = Forwarded(&typeDescr());
             break;
+          case Addendum_InterpretedFunction:
+            if (IsForwarded(maybeInterpretedFunction()))
+                addendum_ = Forwarded(maybeInterpretedFunction());
+            break;
           default:
             MOZ_CRASH();
         }
     }
-    if (interpretedFunction && IsForwarded(interpretedFunction.get()))
-        interpretedFunction = Forwarded(interpretedFunction.get());
 }
 
 #endif // JSGC_COMPACTING

js/src/jsinfer.h

@@ -513,13 +513,13 @@ enum MOZ_ENUM_TYPE(uint32_t) {
       | OBJECT_FLAG_SETS_MARKED_UNKNOWN,
 
     // Mask/shift for the kind of addendum attached to this type object.
-    OBJECT_FLAG_ADDENDUM_MASK         = 0x04000000,
+    OBJECT_FLAG_ADDENDUM_MASK         = 0x0c000000,
     OBJECT_FLAG_ADDENDUM_SHIFT        = 26,
 
     // Mask/shift for this type object's generation. If out of sync with the
     // TypeZone's generation, this TypeObject hasn't been swept yet.
-    OBJECT_FLAG_GENERATION_MASK       = 0x08000000,
-    OBJECT_FLAG_GENERATION_SHIFT      = 27,
+    OBJECT_FLAG_GENERATION_MASK       = 0x10000000,
+    OBJECT_FLAG_GENERATION_SHIFT      = 28,
 };
 typedef uint32_t TypeObjectFlags;
 
@@ -1107,8 +1107,19 @@ struct TypeObject : public gc::TenuredCell
     /* Flags for this object. */
     TypeObjectFlags flags_;
 
+    // Kinds of addendums which can be attached to TypeObjects.
     enum AddendumKind {
+        Addendum_None,
+
+        // When used by interpreted function, the addendum stores the
+        // canonical JSFunction object.
+        Addendum_InterpretedFunction,
+
+        // When used by the 'new' type when constructing an interpreted
+        // function, the addendum stores a TypeNewScript.
         Addendum_NewScript,
+
+        // When used by typed objects, the addendum stores a TypeDescr.
         Addendum_TypeDescr
     };
 
@@ -1172,6 +1183,18 @@ struct TypeObject : public gc::TenuredCell
         setAddendum(Addendum_TypeDescr, descr);
     }
 
+    JSFunction *maybeInterpretedFunction() {
+        // Note: as with type descriptors, there is no need to sweep when
+        // accessing the interpreted function associated with an object.
+        if (addendumKind() == Addendum_InterpretedFunction)
+            return reinterpret_cast<JSFunction *>(addendum_);
+        return nullptr;
+    }
+
+    void setInterpretedFunction(JSFunction *fun) {
+        setAddendum(Addendum_InterpretedFunction, fun);
+    }
+
   private:
     /*
      * Properties of this object. This may contain JSID_VOID, representing the
@@ -1217,13 +1240,6 @@ struct TypeObject : public gc::TenuredCell
     Property **propertySet;
   public:
 
-    /* If this is an interpreted function, the function object. */
-    HeapPtrFunction interpretedFunction;
-
-#if JS_BITS_PER_WORD == 32
-    uint32_t padding;
-#endif
-
     inline TypeObject(const Class *clasp, TaggedProto proto, TypeObjectFlags initialFlags);
 
     bool hasAnyFlags(TypeObjectFlags flags) {