Bug 1073991 - Don't change types in JIT caches when the type's newScript has been cleared, r=jandem.

2024-09-13 09:24:08 -07:00 · 2014-09-30 10:28:51 -07:00 · 2014-09-30 10:28:51 -07:00 · 9de8a62ad8
commit 9de8a62ad8
parent 28965a1a08
3 changed files with 35 additions and 2 deletions
--- a/js/src/jit/BaselineIC.cpp
+++ b/js/src/jit/BaselineIC.cpp
@ -7911,13 +7911,26 @@ ICSetPropNativeAddCompiler::generateStubCode(MacroAssembler &masm)
    masm.loadPtr(Address(BaselineStubReg, ICSetProp_NativeAdd::offsetOfNewShape()), scratch);
    masm.storePtr(scratch, shapeAddr);

-    // Change the object's type if required.
+    // Try to change the object's type.
    Label noTypeChange;
+
+    // Check if the cache has a new type to change to.
    masm.loadPtr(Address(BaselineStubReg, ICSetProp_NativeAdd::offsetOfNewType()), scratch);
    masm.branchTestPtr(Assembler::Zero, scratch, scratch, &noTypeChange);
+
+    // Check if the old type still has a newScript.
+    Register scratch2 = protoReg;
+    masm.loadPtr(Address(objReg, JSObject::offsetOfType()), scratch2);
+    masm.branchPtr(Assembler::Equal,
+                   Address(scratch2, types::TypeObject::offsetOfNewScript()),
+                   ImmWord(0),
+                   &noTypeChange);
+
+    // Change the object's type.
    Address typeAddr(objReg, JSObject::offsetOfType());
    EmitPreBarrier(masm, typeAddr, MIRType_TypeObject);
    masm.storePtr(scratch, typeAddr);
+
    masm.bind(&noTypeChange);

    Register holderReg;
--- a/js/src/jit/IonCaches.cpp
+++ b/js/src/jit/IonCaches.cpp
@ -2583,11 +2583,27 @@ GenerateAddSlot(JSContext *cx, MacroAssembler &masm, IonCache::StubAttacher &att

    if (oldType != obj->type()) {
        // Changing object's type from a partially to fully initialized type,
-        // per the acquired properties analysis.
+        // per the acquired properties analysis. Only change the type if the
+        // old type still has a newScript.
+        Label noTypeChange, skipPop;
+
+        masm.push(object);
+        masm.loadPtr(Address(object, JSObject::offsetOfType()), object);
+        masm.branchPtr(Assembler::Equal,
+                       Address(object, types::TypeObject::offsetOfNewScript()),
+                       ImmWord(0),
+                       &noTypeChange);
+        masm.pop(object);
+
        Address typeAddr(object, JSObject::offsetOfType());
        if (cx->zone()->needsIncrementalBarrier())
            masm.callPreBarrier(typeAddr, MIRType_TypeObject);
        masm.storePtr(ImmGCPtr(obj->type()), typeAddr);
+
+        masm.jump(&skipPop);
+        masm.bind(&noTypeChange);
+        masm.pop(object);
+        masm.bind(&skipPop);
    }

    // Set the value on the object. Since this is an add, obj->lastProperty()
--- a/js/src/jsinfer.h
+++ b/js/src/jsinfer.h
@ -1236,6 +1236,10 @@ struct TypeObject : public gc::TenuredCell
        return offsetof(TypeObject, proto_);
    }

+    static inline uint32_t offsetOfNewScript() {
+        return offsetof(TypeObject, newScript_);
+    }
+
  private:
    inline uint32_t basePropertyCount() const;
    inline void setBasePropertyCount(uint32_t count);