From 84f8af7a1fbda0005454337287de503724eaa978 Mon Sep 17 00:00:00 2001 From: Shu-yu Guo Date: Mon, 22 Jul 2013 16:12:06 -0700 Subject: [PATCH] Bug 895782 - Fix callsite cloning interaction with inline dispatch in Ion redux. (r=jandem) --- js/src/ion/IonBuilder.cpp | 6 ++++-- js/src/jit-test/tests/parallelarray/bug895782.js | 10 ++++++++++ 2 files changed, 14 insertions(+), 2 deletions(-) create mode 100644 js/src/jit-test/tests/parallelarray/bug895782.js diff --git a/js/src/ion/IonBuilder.cpp b/js/src/ion/IonBuilder.cpp index 5c5ec509248..272d71e03bb 100644 --- a/js/src/ion/IonBuilder.cpp +++ b/js/src/ion/IonBuilder.cpp @@ -4235,7 +4235,7 @@ IonBuilder::inlineCalls(CallInfo &callInfo, AutoObjectVector &targets, // // Note that guarding is on the original function pointer even // if there is a clone, since cloning occurs at the callsite. - dispatch->addCase(&originals[i]->as(), inlineBlock); + dispatch->addCase(original, inlineBlock); MDefinition *retVal = inlineReturnBlock->peek(-1); retPhi->addInput(retVal); @@ -4245,11 +4245,13 @@ IonBuilder::inlineCalls(CallInfo &callInfo, AutoObjectVector &targets, } // Patch the InlinePropertyTable to not dispatch to vetoed paths. + // + // Note that like above, we trim using originals instead of targets. if (maybeCache) { maybeCache->object()->setResultTypeSet(cacheObjectTypeSet); InlinePropertyTable *propTable = maybeCache->propTable(); - propTable->trimTo(targets, choiceSet); + propTable->trimTo(originals, choiceSet); // If all paths were vetoed, output only a generic fallback path. if (propTable->numEntries() == 0) { diff --git a/js/src/jit-test/tests/parallelarray/bug895782.js b/js/src/jit-test/tests/parallelarray/bug895782.js new file mode 100644 index 00000000000..d4620a9b87d --- /dev/null +++ b/js/src/jit-test/tests/parallelarray/bug895782.js @@ -0,0 +1,10 @@ +// Don't crash + +Object.defineProperty(this, "y", { + get: function() { + return Object.create(x) + } +}) +x = ParallelArray([1142], function() {}) +x = x.partition(2) +y + y